Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
YESOHDKMIm.exe

Overview

General Information

Sample name:YESOHDKMIm.exe
renamed because original name is a hash value
Original sample name:df25fa5d95355db39284da9c5e28bc040305fb125683a470b92c7a4cc225645c.exe
Analysis ID:1550261
MD5:f9294a439c591bba283f7c6d9ed5aa37
SHA1:674bd10def1727876706c9861fb16850fdd7a2d0
SHA256:df25fa5d95355db39284da9c5e28bc040305fb125683a470b92c7a4cc225645c
Tags:exeRemcosRATuser-adrian__luca
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • YESOHDKMIm.exe (PID: 2804 cmdline: "C:\Users\user\Desktop\YESOHDKMIm.exe" MD5: F9294A439C591BBA283F7C6D9ED5AA37)
    • WerFault.exe (PID: 5928 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 992 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5112 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1132 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 2796 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1128 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 1136 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1156 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 3820 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1156 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 616 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1136 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • yavascript.exe (PID: 7148 cmdline: "C:\Users\user\AppData\Roaming\yavascript.exe" MD5: F9294A439C591BBA283F7C6D9ED5AA37)
      • WerFault.exe (PID: 1820 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 680 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 2320 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 708 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 2280 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 688 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 3372 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 680 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 3352 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 732 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 4324 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 728 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 2296 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 736 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 4080 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 732 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5652 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 968 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • yavascript.exe (PID: 3236 cmdline: "C:\Users\user\AppData\Roaming\yavascript.exe" MD5: F9294A439C591BBA283F7C6D9ED5AA37)
    • WerFault.exe (PID: 3820 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 584 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["198.23.227.212:32583:1"], "Assigned name": "Yavakosa", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "yavascript.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-T59BEJ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000019.00000002.1539850016.0000000000750000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1496727546.0000000002110000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000019.00000002.1539911339.00000000007BA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000000.00000002.1496387665.0000000000694000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000019.00000003.1473498633.0000000002210000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        Click to see the 64 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        15.3.yavascript.exe.2280000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          15.3.yavascript.exe.2280000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            15.3.yavascript.exe.2280000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              15.3.yavascript.exe.2280000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x69cb8:$a1: Remcos restarted by watchdog!
              • 0x6a230:$a3: %02i:%02i:%02i:%03i
              15.3.yavascript.exe.2280000.0.unpackREMCOS_RAT_variantsunknownunknown
              • 0x63d0c:$str_a1: C:\Windows\System32\cmd.exe
              • 0x63c88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x63c88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x64188:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x649b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x63d7c:$str_b2: Executing file:
              • 0x64dfc:$str_b3: GetDirectListeningPort
              • 0x647a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x64928:$str_b7: \update.vbs
              • 0x63da4:$str_b9: Downloaded file:
              • 0x63d90:$str_b10: Downloading file:
              • 0x63e34:$str_b12: Failed to upload file:
              • 0x64dc4:$str_b13: StartForward
              • 0x64de4:$str_b14: StopForward
              • 0x64880:$str_b15: fso.DeleteFile "
              • 0x64814:$str_b16: On Error Resume Next
              • 0x648b0:$str_b17: fso.DeleteFolder "
              • 0x63e24:$str_b18: Uploaded file:
              • 0x63de4:$str_b19: Unable to delete:
              • 0x64848:$str_b20: while fso.FileExists("
              • 0x642c1:$str_c0: [Firefox StoredLogins not found]
              Click to see the 103 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\yavascript.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\YESOHDKMIm.exe, ProcessId: 2804, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-T59BEJ

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: Registry Key setAuthor: Joe Security: Data: Details: BB 5F C3 1B 72 8A 0C 7B B4 FF 8D 4B C0 C9 09 46 B6 71 F0 15 F2 10 11 3C 39 DF 3A E3 77 05 64 D8 D6 ED B0 1D F8 6C 92 F6 C4 77 A4 C2 7F DD 44 DF 78 0B 80 42 BB 1C 2F FE 1E C4 56 E2 D4 F4 5E A1 D1 7B B7 DF FD CD 3F 93 71 2A 5D 69 82 37 4C C6 D9 B6 EA 5E 46 C3 B6 49 7C B3 , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\yavascript.exe, ProcessId: 7148, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-T59BEJ\exepath

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-06T16:13:14.959931+010020229301A Network Trojan was detected20.12.23.50443192.168.2.949782TCP
              2024-11-06T16:13:53.531773+010020229301A Network Trojan was detected4.245.163.56443192.168.2.949998TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-06T16:12:50.587302+010020365941Malware Command and Control Activity Detected192.168.2.949751198.23.227.21232583TCP
              2024-11-06T16:13:09.816855+010020365941Malware Command and Control Activity Detected192.168.2.949762198.23.227.21232583TCP
              2024-11-06T16:13:12.328671+010020365941Malware Command and Control Activity Detected192.168.2.949773198.23.227.21232583TCP
              2024-11-06T16:13:14.896333+010020365941Malware Command and Control Activity Detected192.168.2.949788198.23.227.21232583TCP
              2024-11-06T16:13:17.315764+010020365941Malware Command and Control Activity Detected192.168.2.949797198.23.227.21232583TCP
              2024-11-06T16:13:18.933205+010020365941Malware Command and Control Activity Detected192.168.2.949807198.23.227.21232583TCP
              2024-11-06T16:13:20.878528+010020365941Malware Command and Control Activity Detected192.168.2.949816198.23.227.21232583TCP
              2024-11-06T16:13:22.690599+010020365941Malware Command and Control Activity Detected192.168.2.949822198.23.227.21232583TCP
              2024-11-06T16:13:24.212375+010020365941Malware Command and Control Activity Detected192.168.2.949833198.23.227.21232583TCP
              2024-11-06T16:13:25.742825+010020365941Malware Command and Control Activity Detected192.168.2.949844198.23.227.21232583TCP
              2024-11-06T16:13:27.519667+010020365941Malware Command and Control Activity Detected192.168.2.949852198.23.227.21232583TCP
              2024-11-06T16:13:29.092252+010020365941Malware Command and Control Activity Detected192.168.2.949861198.23.227.21232583TCP
              2024-11-06T16:13:31.318077+010020365941Malware Command and Control Activity Detected192.168.2.949871198.23.227.21232583TCP
              2024-11-06T16:13:32.848204+010020365941Malware Command and Control Activity Detected192.168.2.949882198.23.227.21232583TCP
              2024-11-06T16:13:34.530339+010020365941Malware Command and Control Activity Detected192.168.2.949891198.23.227.21232583TCP
              2024-11-06T16:13:36.093696+010020365941Malware Command and Control Activity Detected192.168.2.949900198.23.227.21232583TCP
              2024-11-06T16:13:37.885598+010020365941Malware Command and Control Activity Detected192.168.2.949911198.23.227.21232583TCP
              2024-11-06T16:13:39.420587+010020365941Malware Command and Control Activity Detected192.168.2.949921198.23.227.21232583TCP
              2024-11-06T16:13:40.952141+010020365941Malware Command and Control Activity Detected192.168.2.949927198.23.227.21232583TCP
              2024-11-06T16:13:42.476589+010020365941Malware Command and Control Activity Detected192.168.2.949938198.23.227.21232583TCP
              2024-11-06T16:13:44.016250+010020365941Malware Command and Control Activity Detected192.168.2.949947198.23.227.21232583TCP
              2024-11-06T16:13:45.554180+010020365941Malware Command and Control Activity Detected192.168.2.949955198.23.227.21232583TCP
              2024-11-06T16:13:47.080203+010020365941Malware Command and Control Activity Detected192.168.2.949965198.23.227.21232583TCP
              2024-11-06T16:13:48.997526+010020365941Malware Command and Control Activity Detected192.168.2.949975198.23.227.21232583TCP
              2024-11-06T16:13:50.516346+010020365941Malware Command and Control Activity Detected192.168.2.949984198.23.227.21232583TCP
              2024-11-06T16:13:52.063169+010020365941Malware Command and Control Activity Detected192.168.2.949993198.23.227.21232583TCP
              2024-11-06T16:13:53.604000+010020365941Malware Command and Control Activity Detected192.168.2.950005198.23.227.21232583TCP
              2024-11-06T16:13:55.157165+010020365941Malware Command and Control Activity Detected192.168.2.950008198.23.227.21232583TCP
              2024-11-06T16:13:56.702594+010020365941Malware Command and Control Activity Detected192.168.2.950009198.23.227.21232583TCP
              2024-11-06T16:13:58.251867+010020365941Malware Command and Control Activity Detected192.168.2.950010198.23.227.21232583TCP
              2024-11-06T16:13:59.866697+010020365941Malware Command and Control Activity Detected192.168.2.950011198.23.227.21232583TCP
              2024-11-06T16:14:01.381368+010020365941Malware Command and Control Activity Detected192.168.2.950012198.23.227.21232583TCP
              2024-11-06T16:14:02.905941+010020365941Malware Command and Control Activity Detected192.168.2.950013198.23.227.21232583TCP
              2024-11-06T16:14:04.392920+010020365941Malware Command and Control Activity Detected192.168.2.950014198.23.227.21232583TCP
              2024-11-06T16:14:05.857574+010020365941Malware Command and Control Activity Detected192.168.2.950015198.23.227.21232583TCP
              2024-11-06T16:14:07.287871+010020365941Malware Command and Control Activity Detected192.168.2.950016198.23.227.21232583TCP
              2024-11-06T16:14:08.682370+010020365941Malware Command and Control Activity Detected192.168.2.950017198.23.227.21232583TCP
              2024-11-06T16:14:10.053950+010020365941Malware Command and Control Activity Detected192.168.2.950018198.23.227.21232583TCP
              2024-11-06T16:14:11.397316+010020365941Malware Command and Control Activity Detected192.168.2.950019198.23.227.21232583TCP
              2024-11-06T16:14:12.730364+010020365941Malware Command and Control Activity Detected192.168.2.950020198.23.227.21232583TCP
              2024-11-06T16:14:14.020702+010020365941Malware Command and Control Activity Detected192.168.2.950021198.23.227.21232583TCP
              2024-11-06T16:14:15.288186+010020365941Malware Command and Control Activity Detected192.168.2.950022198.23.227.21232583TCP
              2024-11-06T16:14:16.516602+010020365941Malware Command and Control Activity Detected192.168.2.950023198.23.227.21232583TCP
              2024-11-06T16:14:17.989362+010020365941Malware Command and Control Activity Detected192.168.2.950024198.23.227.21232583TCP
              2024-11-06T16:14:19.211024+010020365941Malware Command and Control Activity Detected192.168.2.950025198.23.227.21232583TCP
              2024-11-06T16:14:20.408510+010020365941Malware Command and Control Activity Detected192.168.2.950026198.23.227.21232583TCP
              2024-11-06T16:14:21.564136+010020365941Malware Command and Control Activity Detected192.168.2.950027198.23.227.21232583TCP
              2024-11-06T16:14:22.712105+010020365941Malware Command and Control Activity Detected192.168.2.950028198.23.227.21232583TCP
              2024-11-06T16:14:23.990144+010020365941Malware Command and Control Activity Detected192.168.2.950029198.23.227.21232583TCP
              2024-11-06T16:14:25.070156+010020365941Malware Command and Control Activity Detected192.168.2.950030198.23.227.21232583TCP
              2024-11-06T16:14:26.266292+010020365941Malware Command and Control Activity Detected192.168.2.950031198.23.227.21232583TCP
              2024-11-06T16:14:27.328260+010020365941Malware Command and Control Activity Detected192.168.2.950032198.23.227.21232583TCP
              2024-11-06T16:14:28.571776+010020365941Malware Command and Control Activity Detected192.168.2.950033198.23.227.21232583TCP
              2024-11-06T16:14:29.708123+010020365941Malware Command and Control Activity Detected192.168.2.950034198.23.227.21232583TCP
              2024-11-06T16:14:30.725785+010020365941Malware Command and Control Activity Detected192.168.2.950035198.23.227.21232583TCP
              2024-11-06T16:14:31.911090+010020365941Malware Command and Control Activity Detected192.168.2.950036198.23.227.21232583TCP
              2024-11-06T16:14:32.902479+010020365941Malware Command and Control Activity Detected192.168.2.950037198.23.227.21232583TCP
              2024-11-06T16:14:33.944221+010020365941Malware Command and Control Activity Detected192.168.2.950038198.23.227.21232583TCP
              2024-11-06T16:14:35.266911+010020365941Malware Command and Control Activity Detected192.168.2.950039198.23.227.21232583TCP
              2024-11-06T16:14:36.197653+010020365941Malware Command and Control Activity Detected192.168.2.950040198.23.227.21232583TCP
              2024-11-06T16:14:37.483394+010020365941Malware Command and Control Activity Detected192.168.2.950041198.23.227.21232583TCP
              2024-11-06T16:14:38.396275+010020365941Malware Command and Control Activity Detected192.168.2.950042198.23.227.21232583TCP
              2024-11-06T16:14:39.302597+010020365941Malware Command and Control Activity Detected192.168.2.950043198.23.227.21232583TCP
              2024-11-06T16:14:40.492107+010020365941Malware Command and Control Activity Detected192.168.2.950044198.23.227.21232583TCP
              2024-11-06T16:14:41.349870+010020365941Malware Command and Control Activity Detected192.168.2.950045198.23.227.21232583TCP
              2024-11-06T16:14:42.234145+010020365941Malware Command and Control Activity Detected192.168.2.950046198.23.227.21232583TCP
              2024-11-06T16:14:43.582174+010020365941Malware Command and Control Activity Detected192.168.2.950047198.23.227.21232583TCP
              2024-11-06T16:14:44.444096+010020365941Malware Command and Control Activity Detected192.168.2.950048198.23.227.21232583TCP
              2024-11-06T16:14:45.798602+010020365941Malware Command and Control Activity Detected192.168.2.950049198.23.227.21232583TCP
              2024-11-06T16:14:46.708786+010020365941Malware Command and Control Activity Detected192.168.2.950050198.23.227.21232583TCP
              2024-11-06T16:14:47.592066+010020365941Malware Command and Control Activity Detected192.168.2.950051198.23.227.21232583TCP
              2024-11-06T16:14:48.430357+010020365941Malware Command and Control Activity Detected192.168.2.950052198.23.227.21232583TCP
              2024-11-06T16:14:49.804094+010020365941Malware Command and Control Activity Detected192.168.2.950053198.23.227.21232583TCP
              2024-11-06T16:14:50.808322+010020365941Malware Command and Control Activity Detected192.168.2.950054198.23.227.21232583TCP
              2024-11-06T16:14:52.025340+010020365941Malware Command and Control Activity Detected192.168.2.950055198.23.227.21232583TCP
              2024-11-06T16:14:52.884189+010020365941Malware Command and Control Activity Detected192.168.2.950056198.23.227.21232583TCP
              2024-11-06T16:14:53.657141+010020365941Malware Command and Control Activity Detected192.168.2.950057198.23.227.21232583TCP
              2024-11-06T16:14:55.194016+010020365941Malware Command and Control Activity Detected192.168.2.950058198.23.227.21232583TCP
              2024-11-06T16:14:56.072013+010020365941Malware Command and Control Activity Detected192.168.2.950059198.23.227.21232583TCP
              2024-11-06T16:14:57.350658+010020365941Malware Command and Control Activity Detected192.168.2.950060198.23.227.21232583TCP
              2024-11-06T16:14:58.200549+010020365941Malware Command and Control Activity Detected192.168.2.950061198.23.227.21232583TCP
              2024-11-06T16:14:59.207971+010020365941Malware Command and Control Activity Detected192.168.2.950062198.23.227.21232583TCP
              2024-11-06T16:15:00.367017+010020365941Malware Command and Control Activity Detected192.168.2.950063198.23.227.21232583TCP
              2024-11-06T16:15:01.251432+010020365941Malware Command and Control Activity Detected192.168.2.950064198.23.227.21232583TCP
              2024-11-06T16:15:02.632756+010020365941Malware Command and Control Activity Detected192.168.2.950065198.23.227.21232583TCP
              2024-11-06T16:15:03.484073+010020365941Malware Command and Control Activity Detected192.168.2.950066198.23.227.21232583TCP
              2024-11-06T16:15:04.356513+010020365941Malware Command and Control Activity Detected192.168.2.950067198.23.227.21232583TCP
              2024-11-06T16:15:05.244012+010020365941Malware Command and Control Activity Detected192.168.2.950068198.23.227.21232583TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: YESOHDKMIm.exeAvira: detected
              Found malware configuration
              Source: 00000000.00000002.1496387665.0000000000694000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["198.23.227.212:32583:1"], "Assigned name": "Yavakosa", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "yavascript.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-T59BEJ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "", "Keylog folder": "remcos"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\yavascript.exeReversingLabs: Detection: 60%
              Multi AV Scanner detection for submitted file
              Source: YESOHDKMIm.exeReversingLabs: Detection: 60%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 15.3.yavascript.exe.2280000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.YESOHDKMIm.exe.2160e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.yavascript.exe.2190e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.yavascript.exe.2190e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.YESOHDKMIm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.YESOHDKMIm.exe.2160e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.3.yavascript.exe.2210000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.YESOHDKMIm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.3.yavascript.exe.2210000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.YESOHDKMIm.exe.21e0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.2090e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.3.yavascript.exe.2280000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.YESOHDKMIm.exe.21e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.2090e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000019.00000002.1539911339.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1496387665.0000000000694000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000003.1473498633.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2618326835.0000000000814000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1539311942.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1352037586.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2617261877.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1540122253.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000003.1433585955.0000000002280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2618536470.0000000002090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: YESOHDKMIm.exe PID: 2804, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 7148, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 3236, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
              Machine Learning detection for sample
              Source: YESOHDKMIm.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_004338C8
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02193B2F CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_02193B2F
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,15_2_004338C8
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020C3B2F CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,15_2_020C3B2F
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,25_2_004338C8
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021C3B2F CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,25_2_021C3B2F
              Source: YESOHDKMIm.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 15.3.yavascript.exe.2280000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.YESOHDKMIm.exe.2160e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.yavascript.exe.2190e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.yavascript.exe.2190e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.YESOHDKMIm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.YESOHDKMIm.exe.2160e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.3.yavascript.exe.2210000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.YESOHDKMIm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.3.yavascript.exe.2210000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.YESOHDKMIm.exe.21e0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.2090e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.3.yavascript.exe.2280000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.YESOHDKMIm.exe.21e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.2090e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000019.00000003.1473498633.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1539311942.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1352037586.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2617261877.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1540122253.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000003.1433585955.0000000002280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2618536470.0000000002090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: YESOHDKMIm.exe PID: 2804, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 7148, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 3236, type: MEMORYSTR

              Privilege Escalation

              barindex
              Contains functionality to bypass UAC (CMSTPLUA)
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00407538 _wcslen,CoGetObject,0_2_00407538
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_00407538 _wcslen,CoGetObject,15_2_00407538
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_00407538 _wcslen,CoGetObject,25_2_00407538
              Source: YESOHDKMIm.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0044E8F9 FindFirstFileExA,0_2_0044E8F9
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0217C589 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0217C589
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0216C5EF FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0216C5EF
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02168AAE __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_02168AAE
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02167ADE FindFirstFileW,FindNextFileW,0_2_02167ADE
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_021AEB60 FindFirstFileExA,0_2_021AEB60
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02169907 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_02169907
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0216BDD2 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0216BDD2
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02179DED FindFirstFileW,0_2_02179DED
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_0040928E
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,15_2_0041C322
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,15_2_0040C388
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_004096A0
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,15_2_00408847
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_00407877 FindFirstFileW,FindNextFileW,15_2_00407877
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0044E8F9 FindFirstFileExA,15_2_0044E8F9
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_0040BB6B
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,15_2_00419B86
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,15_2_0040BD72
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020AC589 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,15_2_020AC589
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0209C5EF FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,15_2_0209C5EF
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_02098AAE __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,15_2_02098AAE
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_02097ADE FindFirstFileW,FindNextFileW,15_2_02097ADE
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020DEB60 FindFirstFileExA,15_2_020DEB60
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_02099907 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_02099907
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0209BDD2 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_0209BDD2
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020A9DED FindFirstFileW,15_2_020A9DED
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,25_2_0040928E
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,25_2_0041C322
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,25_2_0040C388
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,25_2_004096A0
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,25_2_00408847
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_00407877 FindFirstFileW,FindNextFileW,25_2_00407877
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0044E8F9 FindFirstFileExA,25_2_0044E8F9
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,25_2_0040BB6B
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,25_2_00419B86
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,25_2_0040BD72
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021AC589 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,25_2_021AC589
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0219C5EF FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,25_2_0219C5EF
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_02198AAE __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,25_2_02198AAE
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_02197ADE FindFirstFileW,FindNextFileW,25_2_02197ADE
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021DEB60 FindFirstFileExA,25_2_021DEB60
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_02199907 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,25_2_02199907
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0219BDD2 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,25_2_0219BDD2
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021A9DED FindFirstFileW,25_2_021A9DED
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,HeapCreate,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_3d328a8faf94a4241bd0f3187864b2c92a157f9_012b365d_c78d28d7-2adb-4b67-8c0b-397c281cde3f\
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_96681bba23e4b313c649b06b74a0d9f844b06fff_012b365d_21b14de8-9abb-49d0-9025-9a35c86b09c3\

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49762 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49773 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49788 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49797 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49807 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49816 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49822 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49871 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49844 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49852 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49882 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49861 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49833 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49900 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49891 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49911 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49921 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49927 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49938 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49947 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49955 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49965 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49975 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49984 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49993 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50005 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50008 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50010 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50012 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50011 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50016 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50017 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50022 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50020 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50018 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50013 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50025 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50024 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50026 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50014 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50034 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50028 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50035 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50038 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50030 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50041 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50037 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50040 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50049 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50047 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50059 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50051 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50015 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50056 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50033 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50032 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50044 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50063 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50061 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50052 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50036 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50054 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50062 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50055 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50019 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50066 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50053 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50067 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50068 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50023 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50021 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50060 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50050 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50045 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50064 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50009 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50039 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50065 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50046 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50057 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50027 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50029 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50048 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50031 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50058 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50043 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:50042 -> 198.23.227.212:32583
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49751 -> 198.23.227.212:32583
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorIPs: 198.23.227.212
              Source: global trafficTCP traffic: 192.168.2.9:49751 -> 198.23.227.212:32583
              Source: Joe Sandbox ViewIP Address: 198.23.227.212 198.23.227.212
              Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
              Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.9:49782
              Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.9:49998
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_0041B411
              Source: yavascript.exeString found in binary or memory: http://geoplugin.net/json.gp
              Source: YESOHDKMIm.exe, 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, YESOHDKMIm.exe, 00000000.00000003.1352037586.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, YESOHDKMIm.exe, 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, yavascript.exe, 0000000F.00000002.2618536470.0000000002090000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.2617261877.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 0000000F.00000003.1433585955.0000000002280000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000019.00000003.1473498633.0000000002210000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000019.00000002.1539311942.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 00000019.00000002.1540122253.0000000002190000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to register a low level keyboard hook
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000000_2_0040A2F3
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004168FC
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,15_2_004168FC
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,25_2_004168FC
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_0040A41B
              Source: Yara matchFile source: 15.3.yavascript.exe.2280000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.YESOHDKMIm.exe.2160e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.yavascript.exe.2190e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.yavascript.exe.2190e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.YESOHDKMIm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.YESOHDKMIm.exe.2160e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.3.yavascript.exe.2210000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.YESOHDKMIm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.3.yavascript.exe.2210000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.YESOHDKMIm.exe.21e0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.2090e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.3.yavascript.exe.2280000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.YESOHDKMIm.exe.21e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.2090e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000019.00000003.1473498633.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1539311942.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1352037586.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2617261877.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1540122253.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000003.1433585955.0000000002280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2618536470.0000000002090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: YESOHDKMIm.exe PID: 2804, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 7148, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 3236, type: MEMORYSTR

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 15.3.yavascript.exe.2280000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.YESOHDKMIm.exe.2160e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.yavascript.exe.2190e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.yavascript.exe.2190e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.YESOHDKMIm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.YESOHDKMIm.exe.2160e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.3.yavascript.exe.2210000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.YESOHDKMIm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.3.yavascript.exe.2210000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.YESOHDKMIm.exe.21e0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.2090e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.3.yavascript.exe.2280000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.YESOHDKMIm.exe.21e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.2090e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000019.00000002.1539911339.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1496387665.0000000000694000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000003.1473498633.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2618326835.0000000000814000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1539311942.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1352037586.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2617261877.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1540122253.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000003.1433585955.0000000002280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2618536470.0000000002090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: YESOHDKMIm.exe PID: 2804, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 7148, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 3236, type: MEMORYSTR

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Contains functionalty to change the wallpaper
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0041CA73 SystemParametersInfoW,0_2_0041CA73
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0217CCDA SystemParametersInfoW,0_2_0217CCDA
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0041CA73 SystemParametersInfoW,15_2_0041CA73
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020ACCDA SystemParametersInfoW,15_2_020ACCDA
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0041CA73 SystemParametersInfoW,25_2_0041CA73
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021ACCDA SystemParametersInfoW,25_2_021ACCDA

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 15.3.yavascript.exe.2280000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.3.yavascript.exe.2280000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.3.yavascript.exe.2280000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.YESOHDKMIm.exe.2160e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.YESOHDKMIm.exe.2160e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.YESOHDKMIm.exe.2160e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 25.2.yavascript.exe.2190e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 25.2.yavascript.exe.2190e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 25.2.yavascript.exe.2190e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 25.2.yavascript.exe.2190e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 25.2.yavascript.exe.2190e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 25.2.yavascript.exe.2190e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.YESOHDKMIm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.YESOHDKMIm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.YESOHDKMIm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.YESOHDKMIm.exe.2160e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.YESOHDKMIm.exe.2160e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.YESOHDKMIm.exe.2160e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 25.3.yavascript.exe.2210000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 25.3.yavascript.exe.2210000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 25.3.yavascript.exe.2210000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.YESOHDKMIm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.YESOHDKMIm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.YESOHDKMIm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 25.3.yavascript.exe.2210000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 25.3.yavascript.exe.2210000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 25.3.yavascript.exe.2210000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.3.YESOHDKMIm.exe.21e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.3.YESOHDKMIm.exe.21e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.3.YESOHDKMIm.exe.21e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 25.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 25.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 25.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 25.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 25.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 25.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 15.2.yavascript.exe.2090e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.2.yavascript.exe.2090e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.2.yavascript.exe.2090e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 15.3.yavascript.exe.2280000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.3.yavascript.exe.2280000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.3.yavascript.exe.2280000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.3.YESOHDKMIm.exe.21e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.3.YESOHDKMIm.exe.21e0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.3.YESOHDKMIm.exe.21e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 15.2.yavascript.exe.2090e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.2.yavascript.exe.2090e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.2.yavascript.exe.2090e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000019.00000002.1539850016.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
              Source: 00000000.00000002.1496727546.0000000002110000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
              Source: 00000019.00000003.1473498633.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000019.00000003.1473498633.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000019.00000003.1473498633.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000000F.00000002.2617952063.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
              Source: 00000019.00000002.1539311942.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000019.00000002.1539311942.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000019.00000002.1539311942.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
              Source: 00000000.00000003.1352037586.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000000.00000003.1352037586.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000000.00000003.1352037586.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000000F.00000002.2617261877.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000F.00000002.2617261877.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000000F.00000002.2617261877.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000019.00000002.1540122253.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000019.00000002.1540122253.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
              Source: 0000000F.00000003.1433585955.0000000002280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000F.00000003.1433585955.0000000002280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000000F.00000003.1433585955.0000000002280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000000F.00000002.2618536470.0000000002090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000F.00000002.2618536470.0000000002090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
              Source: Process Memory Space: YESOHDKMIm.exe PID: 2804, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: yavascript.exe PID: 7148, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: yavascript.exe PID: 3236, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,0_2_0041330D
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0041D620 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,0_2_0041D620
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,0_2_0041BBC6
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041BB9A
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02173574 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,0_2_02173574
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0217D887 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,0_2_0217D887
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0217BE01 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0217BE01
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0217BE2D OpenProcess,NtResumeProcess,CloseHandle,0_2_0217BE2D
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,15_2_0041330D
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0041D620 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,15_2_0041D620
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,15_2_0041BBC6
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,15_2_0041BB9A
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020A3574 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,15_2_020A3574
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020AD887 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,15_2_020AD887
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020ABE01 OpenProcess,NtSuspendProcess,CloseHandle,15_2_020ABE01
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020ABE2D OpenProcess,NtResumeProcess,CloseHandle,15_2_020ABE2D
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,25_2_0041330D
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0041D620 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,25_2_0041D620
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,25_2_0041BBC6
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,25_2_0041BB9A
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021A3574 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,25_2_021A3574
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021AD887 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,25_2_021AD887
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021ABE01 OpenProcess,NtSuspendProcess,CloseHandle,25_2_021ABE01
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021ABE2D OpenProcess,NtResumeProcess,CloseHandle,25_2_021ABE2D
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004167EF
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02176A5B ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_02176A5B
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,15_2_004167EF
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020A6A5B ExitWindowsEx,LoadLibraryA,GetProcAddress,15_2_020A6A5B
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,25_2_004167EF
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021A6A5B ExitWindowsEx,LoadLibraryA,GetProcAddress,25_2_021A6A5B
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0043706A0_2_0043706A
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_004140050_2_00414005
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0043E11C0_2_0043E11C
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_004541D90_2_004541D9
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_004381E80_2_004381E8
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0041F18B0_2_0041F18B
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_004462700_2_00446270
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0043E34B0_2_0043E34B
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_004533AB0_2_004533AB
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0042742E0_2_0042742E
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_004375660_2_00437566
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0043E5A80_2_0043E5A8
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_004387F00_2_004387F0
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0043797E0_2_0043797E
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_004339D70_2_004339D7
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0044DA490_2_0044DA49
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00427AD70_2_00427AD7
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0041DBF30_2_0041DBF3
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00427C400_2_00427C40
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00437DB30_2_00437DB3
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00435EEB0_2_00435EEB
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0043DEED0_2_0043DEED
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00426E9F0_2_00426E9F
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_021972D10_2_021972D1
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0219E3830_2_0219E383
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0217F3F20_2_0217F3F2
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_021871060_2_02187106
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0219E1540_2_0219E154
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_021B36120_2_021B3612
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_021876950_2_02187695
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_021A64D70_2_021A64D7
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0219E5B20_2_0219E5B2
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02198A570_2_02198A57
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0219E80F0_2_0219E80F
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0217DE5A0_2_0217DE5A
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02187EA70_2_02187EA7
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02193C3E0_2_02193C3E
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02187D3E0_2_02187D3E
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0043706A15_2_0043706A
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0041400515_2_00414005
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0043E11C15_2_0043E11C
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_004541D915_2_004541D9
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_004381E815_2_004381E8
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0041F18B15_2_0041F18B
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0044627015_2_00446270
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0043E34B15_2_0043E34B
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_004533AB15_2_004533AB
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0042742E15_2_0042742E
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0043756615_2_00437566
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0043E5A815_2_0043E5A8
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_004387F015_2_004387F0
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0043797E15_2_0043797E
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_004339D715_2_004339D7
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0044DA4915_2_0044DA49
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_00427AD715_2_00427AD7
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0041DBF315_2_0041DBF3
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_00427C4015_2_00427C40
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_00437DB315_2_00437DB3
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_00435EEB15_2_00435EEB
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0043DEED15_2_0043DEED
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_00426E9F15_2_00426E9F
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020C72D115_2_020C72D1
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020CE38315_2_020CE383
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020AF3F215_2_020AF3F2
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020B710615_2_020B7106
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020CE15415_2_020CE154
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020E361215_2_020E3612
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020B769515_2_020B7695
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020D64D715_2_020D64D7
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020CE5B215_2_020CE5B2
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020C8A5715_2_020C8A57
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020CE80F15_2_020CE80F
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020ADE5A15_2_020ADE5A
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020B7EA715_2_020B7EA7
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020C3C3E15_2_020C3C3E
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020B7D3E15_2_020B7D3E
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0043706A25_2_0043706A
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0041400525_2_00414005
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0043E11C25_2_0043E11C
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_004541D925_2_004541D9
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_004381E825_2_004381E8
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0041F18B25_2_0041F18B
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0044627025_2_00446270
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0043E34B25_2_0043E34B
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_004533AB25_2_004533AB
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0042742E25_2_0042742E
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0043756625_2_00437566
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0043E5A825_2_0043E5A8
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_004387F025_2_004387F0
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0043797E25_2_0043797E
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_004339D725_2_004339D7
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0044DA4925_2_0044DA49
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_00427AD725_2_00427AD7
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0041DBF325_2_0041DBF3
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_00427C4025_2_00427C40
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_00437DB325_2_00437DB3
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_00435EEB25_2_00435EEB
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0043DEED25_2_0043DEED
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_00426E9F25_2_00426E9F
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021C72D125_2_021C72D1
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021CE38325_2_021CE383
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021AF3F225_2_021AF3F2
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021B710625_2_021B7106
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021CE15425_2_021CE154
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021E361225_2_021E3612
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021B769525_2_021B7695
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021D64D725_2_021D64D7
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021CE5B225_2_021CE5B2
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021C8A5725_2_021C8A57
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021CE80F25_2_021CE80F
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021ADE5A25_2_021ADE5A
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021B7EA725_2_021B7EA7
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021C3C3E25_2_021C3C3E
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021B7D3E25_2_021B7D3E
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: String function: 0040417E appears 46 times
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: String function: 021C50D7 appears 45 times
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: String function: 021C4A68 appears 41 times
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: String function: 00434801 appears 82 times
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: String function: 020C50D7 appears 45 times
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: String function: 00457AA8 appears 34 times
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: String function: 00445951 appears 56 times
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: String function: 00402213 appears 38 times
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: String function: 004052FD appears 32 times
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: String function: 00434E70 appears 108 times
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: String function: 00401FAB appears 39 times
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: String function: 020C4A68 appears 41 times
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: String function: 00411FA2 appears 32 times
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: String function: 00402093 appears 100 times
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: String function: 004020DF appears 40 times
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: String function: 004046F7 appears 34 times
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: String function: 00401E65 appears 69 times
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: String function: 0044854A appears 36 times
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: String function: 00402093 appears 50 times
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: String function: 021950D7 appears 45 times
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: String function: 00434801 appears 41 times
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: String function: 02194A68 appears 41 times
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: String function: 00401E65 appears 35 times
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: String function: 00434E70 appears 54 times
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 992
              Source: YESOHDKMIm.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 15.3.yavascript.exe.2280000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.3.yavascript.exe.2280000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.3.yavascript.exe.2280000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.YESOHDKMIm.exe.2160e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.YESOHDKMIm.exe.2160e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.YESOHDKMIm.exe.2160e67.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 25.2.yavascript.exe.2190e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 25.2.yavascript.exe.2190e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 25.2.yavascript.exe.2190e67.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 25.2.yavascript.exe.2190e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 25.2.yavascript.exe.2190e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 25.2.yavascript.exe.2190e67.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.YESOHDKMIm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.YESOHDKMIm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.YESOHDKMIm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.YESOHDKMIm.exe.2160e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.YESOHDKMIm.exe.2160e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.YESOHDKMIm.exe.2160e67.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 25.3.yavascript.exe.2210000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 25.3.yavascript.exe.2210000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 25.3.yavascript.exe.2210000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.YESOHDKMIm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.YESOHDKMIm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.YESOHDKMIm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 25.3.yavascript.exe.2210000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 25.3.yavascript.exe.2210000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 25.3.yavascript.exe.2210000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.3.YESOHDKMIm.exe.21e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.3.YESOHDKMIm.exe.21e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.3.YESOHDKMIm.exe.21e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 25.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 25.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 25.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 25.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 25.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 25.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 15.2.yavascript.exe.2090e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.2.yavascript.exe.2090e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.2.yavascript.exe.2090e67.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 15.3.yavascript.exe.2280000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.3.yavascript.exe.2280000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.3.yavascript.exe.2280000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.3.YESOHDKMIm.exe.21e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.3.YESOHDKMIm.exe.21e0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.3.YESOHDKMIm.exe.21e0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 15.2.yavascript.exe.2090e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.2.yavascript.exe.2090e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.2.yavascript.exe.2090e67.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000019.00000002.1539850016.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
              Source: 00000000.00000002.1496727546.0000000002110000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
              Source: 00000019.00000003.1473498633.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000019.00000003.1473498633.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000019.00000003.1473498633.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000000F.00000002.2617952063.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
              Source: 00000019.00000002.1539311942.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000019.00000002.1539311942.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000019.00000002.1539311942.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
              Source: 00000000.00000003.1352037586.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000000.00000003.1352037586.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000000.00000003.1352037586.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000000F.00000002.2617261877.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000F.00000002.2617261877.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000000F.00000002.2617261877.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000019.00000002.1540122253.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000019.00000002.1540122253.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
              Source: 0000000F.00000003.1433585955.0000000002280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000F.00000003.1433585955.0000000002280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000000F.00000003.1433585955.0000000002280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000000F.00000002.2618536470.0000000002090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000F.00000002.2618536470.0000000002090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
              Source: Process Memory Space: YESOHDKMIm.exe PID: 2804, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: yavascript.exe PID: 7148, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: yavascript.exe PID: 3236, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: YESOHDKMIm.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: yavascript.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@19/67@0/1
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_0041798D
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02177BF4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_02177BF4
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,15_2_0041798D
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020A7BF4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,15_2_020A7BF4
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,25_2_0041798D
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021A7BF4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,25_2_021A7BF4
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040F4AF
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041B539
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeFile created: C:\Users\user\AppData\Roaming\yavascript.exeJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2804
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7148
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3236
              Source: C:\Users\user\AppData\Roaming\yavascript.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-T59BEJ
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\a5e3e4a4-63a5-4b8c-bfcb-42cbeaa9fbfeJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: Software\0_2_0040EA00
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: Rmc-T59BEJ0_2_0040EA00
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: Exe0_2_0040EA00
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: Exe0_2_0040EA00
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: Rmc-T59BEJ0_2_0040EA00
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: (TG0_2_0040EA00
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: Inj0_2_0040EA00
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: Inj0_2_0040EA00
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: 0i0_2_0040EA00
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: 0i0_2_0040EA00
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: 0i0_2_0040EA00
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: HSG0_2_0040EA00
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: 0i0_2_0040EA00
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: exepath0_2_0040EA00
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: HSG0_2_0040EA00
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: exepath0_2_0040EA00
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: 0i0_2_0040EA00
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: licence0_2_0040EA00
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: tMG0_2_0040EA00
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: `SG0_2_0040EA00
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: Administrator0_2_0040EA00
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: User0_2_0040EA00
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: del0_2_0040EA00
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: del0_2_0040EA00
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCommand line argument: del0_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: Software\15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: Rmc-T59BEJ15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: Exe15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: Exe15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: Rmc-T59BEJ15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: (TG15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: Inj15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: Inj15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: RG15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: RG15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: RG15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: HSG15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: RG15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: exepath15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: HSG15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: exepath15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: RG15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: licence15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: tMG15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: `SG15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: Administrator15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: User15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: del15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: del15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: del15_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: Software\25_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: 0SG25_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: Exe25_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: 0SG25_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: (TG25_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: Inj25_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: Inj25_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: RG25_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: RG25_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: RG25_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: HSG25_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: RG25_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: exepath25_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: HSG25_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: exepath25_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: RG25_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: licence25_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: tMG25_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: `SG25_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: Administrator25_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: User25_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: del25_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: del25_2_0040EA00
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCommand line argument: del25_2_0040EA00
              Source: YESOHDKMIm.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: YESOHDKMIm.exeReversingLabs: Detection: 60%
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeFile read: C:\Users\user\Desktop\YESOHDKMIm.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\YESOHDKMIm.exe "C:\Users\user\Desktop\YESOHDKMIm.exe"
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 992
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1132
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1128
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1156
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1156
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1136
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeProcess created: C:\Users\user\AppData\Roaming\yavascript.exe "C:\Users\user\AppData\Roaming\yavascript.exe"
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 968
              Source: C:\Users\user\AppData\Roaming\yavascript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 680
              Source: C:\Users\user\AppData\Roaming\yavascript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 708
              Source: C:\Users\user\AppData\Roaming\yavascript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 688
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\yavascript.exe "C:\Users\user\AppData\Roaming\yavascript.exe"
              Source: C:\Users\user\AppData\Roaming\yavascript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 680
              Source: C:\Users\user\AppData\Roaming\yavascript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 732
              Source: C:\Users\user\AppData\Roaming\yavascript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 728
              Source: C:\Users\user\AppData\Roaming\yavascript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 736
              Source: C:\Users\user\AppData\Roaming\yavascript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 732
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeProcess created: C:\Users\user\AppData\Roaming\yavascript.exe "C:\Users\user\AppData\Roaming\yavascript.exe" Jump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: msimg32.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: msvcr100.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: apphelp.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: winhttp.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: msimg32.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: urlmon.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: iertutil.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: srvcli.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: netutils.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: wininet.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: msvcr100.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: rstrtmgr.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: ncrypt.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: ntasn1.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: mswsock.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: winhttp.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: msimg32.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: urlmon.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: iertutil.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: srvcli.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: netutils.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: wininet.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: msvcr100.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: rstrtmgr.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: ncrypt.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: ntasn1.dll
              Source: C:\Users\user\AppData\Roaming\yavascript.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeUnpacked PE file: 0.2.YESOHDKMIm.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R;
              Source: C:\Users\user\AppData\Roaming\yavascript.exeUnpacked PE file: 15.2.yavascript.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R;
              Source: C:\Users\user\AppData\Roaming\yavascript.exeUnpacked PE file: 25.2.yavascript.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R;
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00457186 push ecx; ret 0_2_00457199
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0045E55D push esi; ret 0_2_0045E566
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00457AA8 push eax; ret 0_2_00457AC6
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00434EB6 push ecx; ret 0_2_00434EC9
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02113242 push eax; retf 0_2_02113244
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02112172 push cs; ret 0_2_02112175
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02114A64 push 016C66B2h; iretd 0_2_02114AE7
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02114994 push 016C66B2h; iretd 0_2_02114AE7
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02113CAA push FFFFFFF6h; retf 0_2_02113CAC
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_021B73ED push ecx; ret 0_2_021B7400
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0219511D push ecx; ret 0_2_02195130
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02184CA7 push esi; ret 0_2_02184CA9
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_021B7D0F push eax; ret 0_2_021B7D2D
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_00457186 push ecx; ret 15_2_00457199
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0045E55D push esi; ret 15_2_0045E566
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_00457AA8 push eax; ret 15_2_00457AC6
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_00434EB6 push ecx; ret 15_2_00434EC9
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_00762172 push cs; ret 15_2_00762175
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_00763242 push eax; retf 15_2_00763244
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_00764994 push 016C66B2h; iretd 15_2_00764AE7
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_00764A64 push 016C66B2h; iretd 15_2_00764AE7
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_00763CAA push FFFFFFF6h; retf 15_2_00763CAC
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020E73ED push ecx; ret 15_2_020E7400
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020C511D push ecx; ret 15_2_020C5130
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020B4CA7 push esi; ret 15_2_020B4CA9
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020E7D0F push eax; ret 15_2_020E7D2D
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_00457186 push ecx; ret 25_2_00457199
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0045E55D push esi; ret 25_2_0045E566
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_00457AA8 push eax; ret 25_2_00457AC6
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_00434EB6 push ecx; ret 25_2_00434EC9
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_00752172 push cs; ret 25_2_00752175
              Source: YESOHDKMIm.exeStatic PE information: section name: .text entropy: 7.3224419372179845
              Source: yavascript.exe.0.drStatic PE information: section name: .text entropy: 7.3224419372179845
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00406EEB ShellExecuteW,URLDownloadToFileW,0_2_00406EEB
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeFile created: C:\Users\user\AppData\Roaming\yavascript.exeJump to dropped file

              Boot Survival

              barindex
              Creates autostart registry keys with suspicious names
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-T59BEJJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-T59BEJJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-T59BEJJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yavascript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\yavascript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

              Malware Analysis System Evasion

              barindex
              Delayed program exit found
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0040F7E2 Sleep,ExitProcess,0_2_0040F7E2
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0216FA49 Sleep,ExitProcess,0_2_0216FA49
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0040F7E2 Sleep,ExitProcess,15_2_0040F7E2
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0209FA49 Sleep,ExitProcess,15_2_0209FA49
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0040F7E2 Sleep,ExitProcess,25_2_0040F7E2
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0219FA49 Sleep,ExitProcess,25_2_0219FA49
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0041A7D9
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0217AA40
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,15_2_0041A7D9
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,15_2_020AAA40
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,25_2_0041A7D9
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,25_2_021AAA40
              Source: C:\Users\user\AppData\Roaming\yavascript.exeWindow / User API: threadDelayed 988
              Source: C:\Users\user\AppData\Roaming\yavascript.exeWindow / User API: threadDelayed 8906
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeEvaded block: after key decisiongraph_0-88910
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeEvaded block: after key decisiongraph_0-88881
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeAPI coverage: 4.2 %
              Source: C:\Users\user\AppData\Roaming\yavascript.exeAPI coverage: 6.2 %
              Source: C:\Users\user\AppData\Roaming\yavascript.exeAPI coverage: 4.1 %
              Source: C:\Users\user\AppData\Roaming\yavascript.exe TID: 2992Thread sleep count: 988 > 30
              Source: C:\Users\user\AppData\Roaming\yavascript.exe TID: 2992Thread sleep time: -2964000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\yavascript.exe TID: 2992Thread sleep count: 8906 > 30
              Source: C:\Users\user\AppData\Roaming\yavascript.exe TID: 2992Thread sleep time: -26718000s >= -30000s
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0044E8F9 FindFirstFileExA,0_2_0044E8F9
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0217C589 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0217C589
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0216C5EF FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0216C5EF
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02168AAE __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_02168AAE
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02167ADE FindFirstFileW,FindNextFileW,0_2_02167ADE
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_021AEB60 FindFirstFileExA,0_2_021AEB60
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02169907 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_02169907
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0216BDD2 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0216BDD2
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02179DED FindFirstFileW,0_2_02179DED
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_0040928E
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,15_2_0041C322
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,15_2_0040C388
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_004096A0
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,15_2_00408847
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_00407877 FindFirstFileW,FindNextFileW,15_2_00407877
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0044E8F9 FindFirstFileExA,15_2_0044E8F9
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_0040BB6B
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,15_2_00419B86
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,15_2_0040BD72
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020AC589 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,15_2_020AC589
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0209C5EF FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,15_2_0209C5EF
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_02098AAE __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,15_2_02098AAE
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_02097ADE FindFirstFileW,FindNextFileW,15_2_02097ADE
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020DEB60 FindFirstFileExA,15_2_020DEB60
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_02099907 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_02099907
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0209BDD2 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_0209BDD2
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020A9DED FindFirstFileW,15_2_020A9DED
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,25_2_0040928E
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,25_2_0041C322
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,25_2_0040C388
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,25_2_004096A0
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,25_2_00408847
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_00407877 FindFirstFileW,FindNextFileW,25_2_00407877
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0044E8F9 FindFirstFileExA,25_2_0044E8F9
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,25_2_0040BB6B
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,25_2_00419B86
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,25_2_0040BD72
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021AC589 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,25_2_021AC589
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0219C5EF FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,25_2_0219C5EF
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_02198AAE __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,25_2_02198AAE
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_02197ADE FindFirstFileW,FindNextFileW,25_2_02197ADE
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021DEB60 FindFirstFileExA,25_2_021DEB60
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_02199907 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,25_2_02199907
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0219BDD2 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,25_2_0219BDD2
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021A9DED FindFirstFileW,25_2_021A9DED
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,HeapCreate,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_3d328a8faf94a4241bd0f3187864b2c92a157f9_012b365d_c78d28d7-2adb-4b67-8c0b-397c281cde3f\
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_96681bba23e4b313c649b06b74a0d9f844b06fff_012b365d_21b14de8-9abb-49d0-9025-9a35c86b09c3\
              Source: Amcache.hve.4.drBinary or memory string: VMware
              Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
              Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
              Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: yavascript.exe, 0000000F.00000002.2618326835.0000000000814000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: Amcache.hve.4.drBinary or memory string: vmci.sys
              Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
              Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
              Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.4.drBinary or memory string: VMware20,1
              Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.4.drBinary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
              Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
              Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: C:\Users\user\AppData\Roaming\yavascript.exeAPI call chain: ExitProcess graph end node
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\AppData\Roaming\yavascript.exeProcess queried: DebugPort
              Source: C:\Users\user\AppData\Roaming\yavascript.exeProcess queried: DebugPort
              Source: C:\Users\user\AppData\Roaming\yavascript.exeProcess queried: DebugPort
              Source: C:\Users\user\AppData\Roaming\yavascript.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00443355 mov eax, dword ptr fs:[00000030h]0_2_00443355
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02110083 push dword ptr fs:[00000030h]0_2_02110083
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_021A35BC mov eax, dword ptr fs:[00000030h]0_2_021A35BC
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0216092B mov eax, dword ptr fs:[00000030h]0_2_0216092B
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02160D90 mov eax, dword ptr fs:[00000030h]0_2_02160D90
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_00443355 mov eax, dword ptr fs:[00000030h]15_2_00443355
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_00760083 push dword ptr fs:[00000030h]15_2_00760083
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020D35BC mov eax, dword ptr fs:[00000030h]15_2_020D35BC
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0209092B mov eax, dword ptr fs:[00000030h]15_2_0209092B
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_02090D90 mov eax, dword ptr fs:[00000030h]15_2_02090D90
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_00443355 mov eax, dword ptr fs:[00000030h]25_2_00443355
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_00750083 push dword ptr fs:[00000030h]25_2_00750083
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021D35BC mov eax, dword ptr fs:[00000030h]25_2_021D35BC
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0219092B mov eax, dword ptr fs:[00000030h]25_2_0219092B
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_02190D90 mov eax, dword ptr fs:[00000030h]25_2_02190D90
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_004120B2 GetProcessHeap,HeapFree,0_2_004120B2
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043503C
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043BB71
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00434BD8 SetUnhandledExceptionFilter,0_2_00434BD8
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_021952A3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_021952A3
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_02194CF1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_02194CF1
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0219BDD8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0219BDD8
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_0043503C
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00434A8A
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_0043BB71
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_00434BD8 SetUnhandledExceptionFilter,15_2_00434BD8
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020C52A3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_020C52A3
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020C4CF1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_020C4CF1
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 15_2_020CBDD8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_020CBDD8
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,25_2_0043503C
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_00434A8A
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_0043BB71
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_00434BD8 SetUnhandledExceptionFilter,25_2_00434BD8
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021C52A3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,25_2_021C52A3
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021C4CF1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_021C4CF1
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: 25_2_021CBDD8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_021CBDD8
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00412132
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe15_2_00412132
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe25_2_00412132
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00419662 mouse_event,0_2_00419662
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeProcess created: C:\Users\user\AppData\Roaming\yavascript.exe "C:\Users\user\AppData\Roaming\yavascript.exe" Jump to behavior
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00434CB6 cpuid 0_2_00434CB6
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: EnumSystemLocalesW,0_2_0045201B
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: EnumSystemLocalesW,0_2_004520B6
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00452143
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: GetLocaleInfoW,0_2_00452393
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: EnumSystemLocalesW,0_2_00448484
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004524BC
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: GetLocaleInfoW,0_2_004525C3
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00452690
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: GetLocaleInfoW,0_2_0044896D
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: GetLocaleInfoA,0_2_0040F90C
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00451D58
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: EnumSystemLocalesW,0_2_00451FD0
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: EnumSystemLocalesW,0_2_021B2237
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: EnumSystemLocalesW,0_2_021B2282
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: EnumSystemLocalesW,0_2_021B231D
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: EnumSystemLocalesW,0_2_021A86EB
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_021B2723
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: GetLocaleInfoW,0_2_021B25FA
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: GetLocaleInfoA,0_2_0216FB73
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: GetLocaleInfoW,0_2_021A8BD4
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: GetLocaleInfoW,0_2_021B282A
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_021B28F7
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_021B1FBF
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: EnumSystemLocalesW,15_2_0045201B
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: EnumSystemLocalesW,15_2_004520B6
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,15_2_00452143
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetLocaleInfoW,15_2_00452393
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: EnumSystemLocalesW,15_2_00448484
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,15_2_004524BC
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetLocaleInfoW,15_2_004525C3
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,15_2_00452690
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetLocaleInfoW,15_2_0044896D
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetLocaleInfoA,15_2_0040F90C
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,15_2_00451D58
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: EnumSystemLocalesW,15_2_00451FD0
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: EnumSystemLocalesW,15_2_020E2237
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: EnumSystemLocalesW,15_2_020E2282
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: EnumSystemLocalesW,15_2_020E231D
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: EnumSystemLocalesW,15_2_020D86EB
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,15_2_020E2723
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetLocaleInfoW,15_2_020E25FA
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetLocaleInfoA,15_2_0209FB73
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetLocaleInfoW,15_2_020D8BD4
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetLocaleInfoW,15_2_020E282A
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,15_2_020E28F7
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,15_2_020E1FBF
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: EnumSystemLocalesW,25_2_0045201B
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: EnumSystemLocalesW,25_2_004520B6
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,25_2_00452143
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetLocaleInfoW,25_2_00452393
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: EnumSystemLocalesW,25_2_00448484
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,25_2_004524BC
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetLocaleInfoW,25_2_004525C3
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,25_2_00452690
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetLocaleInfoW,25_2_0044896D
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetLocaleInfoA,25_2_0040F90C
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,25_2_00451D58
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: EnumSystemLocalesW,25_2_00451FD0
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: EnumSystemLocalesW,25_2_021E2237
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: EnumSystemLocalesW,25_2_021E2282
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: EnumSystemLocalesW,25_2_021E231D
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: EnumSystemLocalesW,25_2_021D86EB
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,25_2_021E2723
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetLocaleInfoW,25_2_021E25FA
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetLocaleInfoA,25_2_0219FB73
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetLocaleInfoW,25_2_021D8BD4
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetLocaleInfoW,25_2_021E282A
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,25_2_021E28F7
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,25_2_021E1FBF
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0041A045 __EH_prolog,73C05D90,CreateDirectoryW,Sleep,Sleep,GetLocalTime,Sleep,0_2_0041A045
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_0041B69E GetComputerNameExW,GetUserNameW,0_2_0041B69E
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: 0_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00449210
              Source: C:\Users\user\AppData\Roaming\yavascript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
              Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 15.3.yavascript.exe.2280000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.YESOHDKMIm.exe.2160e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.yavascript.exe.2190e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.yavascript.exe.2190e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.YESOHDKMIm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.YESOHDKMIm.exe.2160e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.3.yavascript.exe.2210000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.YESOHDKMIm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.3.yavascript.exe.2210000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.YESOHDKMIm.exe.21e0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.2090e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.3.yavascript.exe.2280000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.YESOHDKMIm.exe.21e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.2090e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000019.00000002.1539911339.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1496387665.0000000000694000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000003.1473498633.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2618326835.0000000000814000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1539311942.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1352037586.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2617261877.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1540122253.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000003.1433585955.0000000002280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2618536470.0000000002090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: YESOHDKMIm.exe PID: 2804, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 7148, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 3236, type: MEMORYSTR
              Contains functionality to steal Chrome passwords or cookies
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040BA4D
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data15_2_0040BA4D
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data25_2_0040BA4D
              Contains functionality to steal Firefox passwords or cookies
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040BB6B
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: \key3.db0_2_0040BB6B
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\15_2_0040BB6B
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: \key3.db15_2_0040BB6B
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\25_2_0040BB6B
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: \key3.db25_2_0040BB6B

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-T59BEJJump to behavior
              Source: C:\Users\user\AppData\Roaming\yavascript.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-T59BEJ
              Source: C:\Users\user\AppData\Roaming\yavascript.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-T59BEJ
              Yara detected Remcos RAT
              Source: Yara matchFile source: 15.3.yavascript.exe.2280000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.YESOHDKMIm.exe.2160e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.yavascript.exe.2190e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.yavascript.exe.2190e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.YESOHDKMIm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.YESOHDKMIm.exe.2160e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.3.yavascript.exe.2210000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.YESOHDKMIm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.3.yavascript.exe.2210000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.YESOHDKMIm.exe.21e0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.2090e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.3.yavascript.exe.2280000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.YESOHDKMIm.exe.21e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.2090e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000019.00000002.1539911339.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1496387665.0000000000694000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000003.1473498633.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2618326835.0000000000814000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1539311942.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1352037586.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2617261877.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1540122253.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000003.1433585955.0000000002280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2618536470.0000000002090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: YESOHDKMIm.exe PID: 2804, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 7148, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 3236, type: MEMORYSTR
              Source: C:\Users\user\Desktop\YESOHDKMIm.exeCode function: cmd.exe0_2_0040569A
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: cmd.exe15_2_0040569A
              Source: C:\Users\user\AppData\Roaming\yavascript.exeCode function: cmd.exe25_2_0040569A

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		11
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts12
              Command and Scripting Interpreter              		1
              Windows Service              		1
              Bypass User Account Control              		3
              Obfuscated Files or Information              		111
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol111
              Input Capture              		2
              Encrypted Channel              		Exfiltration Over Bluetooth1
              Defacement
              Email AddressesDNS ServerDomain Accounts2
              Service Execution              		11
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		12
              Software Packing              		2
              Credentials In Files              		1
              System Service Discovery              		SMB/Windows Admin Shares3
              Clipboard Data              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              Windows Service              		1
              DLL Side-Loading              		NTDS4
              File and Directory Discovery              		Distributed Component Object ModelInput Capture1
              Remote Access Software              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
              Process Injection              		1
              Bypass User Account Control              		LSA Secrets23
              System Information Discovery              		SSHKeylogging1
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
              Registry Run Keys / Startup Folder              		1
              Masquerading              		Cached Domain Credentials141
              Security Software Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
              Virtualization/Sandbox Evasion              		DCSync2
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Access Token Manipulation              		Proc Filesystem1
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
              Process Injection              		/etc/passwd and /etc/shadow1
              Application Window Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
              System Owner/User Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1550261 Sample: YESOHDKMIm.exe Startdate: 06/11/2024 Architecture: WINDOWS Score: 100 52 Suricata IDS alerts for network traffic 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 8 other signatures 2->58 7 YESOHDKMIm.exe 1 3 2->7         started        11 yavascript.exe 2->11         started        process3 file4 46 C:\Users\user\AppData\...\yavascript.exe, PE32 7->46 dropped 48 C:\Users\...\yavascript.exe:Zone.Identifier, ASCII 7->48 dropped 60 Contains functionality to bypass UAC (CMSTPLUA) 7->60 62 Detected unpacking (changes PE section rights) 7->62 64 Detected Remcos RAT 7->64 66 6 other signatures 7->66 13 yavascript.exe 7->13         started        17 WerFault.exe 16 7->17         started        20 WerFault.exe 16 7->20         started        24 5 other processes 7->24 22 WerFault.exe 11->22         started        signatures5 process6 dnsIp7 50 198.23.227.212, 32583, 49751, 49762 AS-COLOCROSSINGUS United States 13->50 68 Multi AV Scanner detection for dropped file 13->68 70 Contains functionality to bypass UAC (CMSTPLUA) 13->70 72 Detected unpacking (changes PE section rights) 13->72 74 5 other signatures 13->74 26 WerFault.exe 13->26         started        28 WerFault.exe 13->28         started        30 WerFault.exe 13->30         started        32 5 other processes 13->32 34 C:\ProgramData\Microsoft\...\Report.wer, Unicode 17->34 dropped 36 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->36 dropped 38 C:\ProgramData\Microsoft\...\Report.wer, Unicode 24->38 dropped 40 C:\ProgramData\Microsoft\...\Report.wer, Unicode 24->40 dropped 42 C:\ProgramData\Microsoft\...\Report.wer, Unicode 24->42 dropped 44 2 other malicious files 24->44 dropped file8 signatures9 process10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              YESOHDKMIm.exe61%ReversingLabsWin32.Trojan.Leonem
              YESOHDKMIm.exe100%AviraHEUR/AGEN.1306992
              YESOHDKMIm.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\yavascript.exe61%ReversingLabsWin32.Trojan.Leonem

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              s-part-0017.t-0009.t-msedge.net
              		13.107.246.45
              		truefalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpyavascript.exefalse
                  		high
                  http://upx.sf.netAmcache.hve.4.drfalse
                    		high
                    http://geoplugin.net/json.gp/CYESOHDKMIm.exe, 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, YESOHDKMIm.exe, 00000000.00000003.1352037586.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, YESOHDKMIm.exe, 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, yavascript.exe, 0000000F.00000002.2618536470.0000000002090000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.2617261877.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 0000000F.00000003.1433585955.0000000002280000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000019.00000003.1473498633.0000000002210000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000019.00000002.1539311942.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 00000019.00000002.1540122253.0000000002190000.00000040.00001000.00020000.00000000.sdmpfalse
                      		high

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      198.23.227.212
                      		unknownUnited States
                      		36352AS-COLOCROSSINGUStrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1550261
                      Start date and time:2024-11-06 16:12:04 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 8m 9s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:40
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:YESOHDKMIm.exe
                      renamed because original name is a hash value
                      Original Sample Name:df25fa5d95355db39284da9c5e28bc040305fb125683a470b92c7a4cc225645c.exe
                      Detection:MAL
                      Classification:mal100.rans.troj.spyw.expl.evad.winEXE@19/67@0/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 14
                      • Number of non-executed functions: 390
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, SIHClient.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 13.89.179.12, 20.42.73.29
                      • Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report creation exceeded maximum time and may have missing disassembly code information.
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: YESOHDKMIm.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      10:13:11API Interceptor2x Sleep call for process: WerFault.exe modified
                      10:13:44API Interceptor281626x Sleep call for process: yavascript.exe modified
                      15:12:59AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-T59BEJ "C:\Users\user\AppData\Roaming\yavascript.exe"
                      15:13:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-T59BEJ "C:\Users\user\AppData\Roaming\yavascript.exe"

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      198.23.227.212NujUXO42Rg.exeGet hashmaliciousRemcosBrowse
                        ZeaS4nUxg4.exeGet hashmaliciousRemcosBrowse
                          documents-pdf.exeGet hashmaliciousRemcosBrowse
                            1kZ9olJiaG.exeGet hashmaliciousRemcosBrowse
                              ltlbVjClX9.exeGet hashmaliciousRemcosBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                s-part-0017.t-0009.t-msedge.nethttps://www.google.co.in/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=sf_rand_string_mixed(5)FgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fir.nbaikp3.sa.com%2Fdelaw%2Flawn%2Fkoo%2Fsf_rand_string_mixed(24)/braswells@helenaindustries.comGet hashmaliciousUnknownBrowse
                                • 13.107.246.45
                                fIwP4c7xYt.exeGet hashmaliciousGuLoaderBrowse
                                • 13.107.246.45
                                2CUvvDyapb.exeGet hashmaliciousRemcosBrowse
                                • 13.107.246.45
                                DHOYXfCAeB.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 13.107.246.45
                                http://blacksaltys.comGet hashmaliciousUnknownBrowse
                                • 13.107.246.45
                                http://blacksaltys.comGet hashmaliciousUnknownBrowse
                                • 13.107.246.45
                                N2DJ1eUIE6.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                • 13.107.246.45
                                file.exeGet hashmaliciousLummaCBrowse
                                • 13.107.246.45
                                https://booking.com@slongre.com/vrmcoabuGet hashmaliciousUnknownBrowse
                                • 13.107.246.45
                                file.exeGet hashmaliciousUnknownBrowse
                                • 13.107.246.45

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                AS-COLOCROSSINGUS173090160965f4af6053e0cc550b1580793735ec4c6bd2a63005d1f358aeab4a3375f6790f876.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 107.174.244.110
                                FACF9877656789000.bat.exeGet hashmaliciousRemcosBrowse
                                • 192.3.101.137
                                1730880308a25cd41259538643a6a02b355f33de1f56cb7e6d874f22aad09eac2596439da1840.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 107.173.160.168
                                1730880247cf66167bcfd0746932f87db200bfceb4d3c06bb32722efa7cbc37412fdc49363938.dat-decoded.exeGet hashmaliciousXWormBrowse
                                • 192.3.176.176
                                givenmebestthignswithgoodnewforentirerlifethingstobe.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                • 172.245.135.166
                                goodthingsforentireprocessgetmebackwithgoodnewsthings.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                • 107.172.61.130
                                createdbestthingswithentirelifewithgoodfeaturesareonhere.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                • 107.173.4.23
                                xBA TM06-Q6-11-24.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 107.174.244.110
                                NujUXO42Rg.exeGet hashmaliciousRemcosBrowse
                                • 198.23.227.212
                                Payment Advice-RefA22D4YdWsbE5.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                • 107.173.4.23

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YESOHDKMIm.exe_153331ae1e10073ccd2a7c0ea68cb7f6a2d16c_002bbdc9_03c5192a-21cd-409f-ae90-dc396ce6015d\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.9503615464249552
                                Encrypted:false
                                SSDEEP:192:RasUiAim056r3tujxrZr6GzuiFLZ24IO88m:R9UiAiN56rAj9zuiFLY4IO8V
                                MD5:7B8D3EE7A080A23CFEE409AFB012E459
                                SHA1:9A9BCCEEAE02804A8C324AE75C0987C292E0B80F
                                SHA-256:43F856BA4494890660F0B95E916B435E4ABF51C9A57D0AC29481857F2B975EF1
                                SHA-512:CE5DE5D6BF3A28DBD65EC630003D8047513FB59D3449C874ED2FAC8B0A0CA3DF0447E2206543B62043111035CC621C8187E5B5FD67F0D5CB53866C39508A61F7
                                Malicious:true
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.3.7.9.5.7.8.6.6.9.1.2.3.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.3.c.5.1.9.2.a.-.2.1.c.d.-.4.0.9.f.-.a.e.9.0.-.d.c.3.9.6.c.e.6.0.1.5.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.1.a.1.1.8.a.b.-.5.3.f.1.-.4.5.6.7.-.9.d.a.7.-.2.7.d.d.6.f.b.f.e.3.8.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.Y.E.S.O.H.D.K.M.I.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.f.4.-.0.0.0.1.-.0.0.1.4.-.b.b.9.a.-.c.5.5.b.5.e.3.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.f.2.b.f.7.6.8.8.3.c.4.2.f.b.0.3.f.1.8.9.3.c.6.b.5.1.0.b.2.3.6.0.0.0.0.f.f.f.f.!.0.0.0.0.6.7.4.b.d.1.0.d.e.f.1.7.2.7.8.7.6.7.0.6.c.9.8.6.1.f.b.1.6.8.5.0.f.d.d.7.a.2.d.0.!.Y.E.S.O.H.D.K.M.I.m...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.1.7.:.0.7.:.4.5.:.5.3.!.0.!.Y.E.S.O.H.D.K.M.I.m...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YESOHDKMIm.exe_153331ae1e10073ccd2a7c0ea68cb7f6a2d16c_002bbdc9_1a4c5f90-1685-4f59-9fe9-7364e8eed234\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.9637637379755916
                                Encrypted:false
                                SSDEEP:192:YzsUiATtm056r3tujxrZr6pzuiFLZ24IO88m:FUiAZN56rAjKzuiFLY4IO8V
                                MD5:3230C152A2E98F3DDA0BF352154DE7C7
                                SHA1:13F762DE813149947CB3D08135AD81AFEF600E34
                                SHA-256:8ECC7A866845A9130E9750138961C138130CFA8842D8B5A13BFB24B779E6934C
                                SHA-512:74132F56F6FE41080277B0B046319DC9F1813C9E09B309C06C9EDC7882F450F7E17F080E2A2BF26203A5A1FAC981064A6AD49B2F9B1D6A2CF396BB897BAB9DEB
                                Malicious:true
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.3.7.9.5.8.2.7.5.0.8.3.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.a.4.c.5.f.9.0.-.1.6.8.5.-.4.f.5.9.-.9.f.e.9.-.7.3.6.4.e.8.e.e.d.2.3.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.f.d.d.9.d.a.a.-.2.8.f.b.-.4.4.9.d.-.a.2.4.4.-.9.4.1.a.d.6.b.9.5.1.6.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.Y.E.S.O.H.D.K.M.I.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.f.4.-.0.0.0.1.-.0.0.1.4.-.b.b.9.a.-.c.5.5.b.5.e.3.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.f.2.b.f.7.6.8.8.3.c.4.2.f.b.0.3.f.1.8.9.3.c.6.b.5.1.0.b.2.3.6.0.0.0.0.f.f.f.f.!.0.0.0.0.6.7.4.b.d.1.0.d.e.f.1.7.2.7.8.7.6.7.0.6.c.9.8.6.1.f.b.1.6.8.5.0.f.d.d.7.a.2.d.0.!.Y.E.S.O.H.D.K.M.I.m...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.1.7.:.0.7.:.4.5.:.5.3.!.0.!.Y.E.S.O.H.D.K.M.I.m...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YESOHDKMIm.exe_153331ae1e10073ccd2a7c0ea68cb7f6a2d16c_002bbdc9_92a3fb56-325f-4ccf-a4fa-668e43f9db68\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.963685164520514
                                Encrypted:false
                                SSDEEP:192:isUiAZm056r3tujxrZr6pzuiFLZ24IO88m:1UiAZN56rAjKzuiFLY4IO8V
                                MD5:3CFDAC4B9776479259402049849F9AF2
                                SHA1:4F0FEE62A9E80E55BC45FF36CBC5E3FD70D6E6F6
                                SHA-256:97E0058D3DE06EF1726695B9BD544EBC766A637906F0A6D3F6129AC48518F9C7
                                SHA-512:D9258204BA192F4A9F0AC2D8EA6D61207C177D443D770DF55F1CAB1877D49F5B541E97A7F1C60B90C66E949E26510D863A4E877391C5AC3F073C8DA1733BFA4B
                                Malicious:true
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.3.7.9.5.8.2.0.5.0.7.0.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.2.a.3.f.b.5.6.-.3.2.5.f.-.4.c.c.f.-.a.4.f.a.-.6.6.8.e.4.3.f.9.d.b.6.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.2.e.9.5.4.3.c.-.3.6.f.c.-.4.1.8.f.-.8.b.0.3.-.f.a.8.1.0.c.0.f.a.c.f.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.Y.E.S.O.H.D.K.M.I.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.f.4.-.0.0.0.1.-.0.0.1.4.-.b.b.9.a.-.c.5.5.b.5.e.3.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.f.2.b.f.7.6.8.8.3.c.4.2.f.b.0.3.f.1.8.9.3.c.6.b.5.1.0.b.2.3.6.0.0.0.0.f.f.f.f.!.0.0.0.0.6.7.4.b.d.1.0.d.e.f.1.7.2.7.8.7.6.7.0.6.c.9.8.6.1.f.b.1.6.8.5.0.f.d.d.7.a.2.d.0.!.Y.E.S.O.H.D.K.M.I.m...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.1.7.:.0.7.:.4.5.:.5.3.!.0.!.Y.E.S.O.H.D.K.M.I.m...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YESOHDKMIm.exe_153331ae1e10073ccd2a7c0ea68cb7f6a2d16c_002bbdc9_9e6fdc43-fdf8-43d3-a3dd-bfc8ca98f9ee\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.9637314353544473
                                Encrypted:false
                                SSDEEP:192:fsUiAZm056r3tujxrZr6pzuiFLZ24IO88m:0UiAZN56rAjKzuiFLY4IO8V
                                MD5:5AB40933380694AB2D4C57ED3B17104B
                                SHA1:700BBE220841519A4D70E7BB2DCD05CAEE8E63D3
                                SHA-256:7302CBA868EABDC11B15B4612088BE8DCCE92C7CBB4ED037906F50FAE8FC4C92
                                SHA-512:D96F59FD3FF5753DEAA4A2AAB2FDA98D57ADF219AD9F888FC00570225FC5B925847DDFA28A8EC583F1B50899458BEE1398A29077C1B2EE6B74C145F5D6BD671C
                                Malicious:true
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.3.7.9.5.8.0.0.6.4.9.7.1.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.e.6.f.d.c.4.3.-.f.d.f.8.-.4.3.d.3.-.a.3.d.d.-.b.f.c.8.c.a.9.8.f.9.e.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.f.7.e.2.4.f.-.b.d.6.b.-.4.4.b.6.-.8.2.e.8.-.8.b.7.8.6.e.b.5.d.7.9.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.Y.E.S.O.H.D.K.M.I.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.f.4.-.0.0.0.1.-.0.0.1.4.-.b.b.9.a.-.c.5.5.b.5.e.3.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.f.2.b.f.7.6.8.8.3.c.4.2.f.b.0.3.f.1.8.9.3.c.6.b.5.1.0.b.2.3.6.0.0.0.0.f.f.f.f.!.0.0.0.0.6.7.4.b.d.1.0.d.e.f.1.7.2.7.8.7.6.7.0.6.c.9.8.6.1.f.b.1.6.8.5.0.f.d.d.7.a.2.d.0.!.Y.E.S.O.H.D.K.M.I.m...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.1.7.:.0.7.:.4.5.:.5.3.!.0.!.Y.E.S.O.H.D.K.M.I.m...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YESOHDKMIm.exe_153331ae1e10073ccd2a7c0ea68cb7f6a2d16c_002bbdc9_c7c9d1c9-fa1c-4b30-aaf7-00830b6c5aac\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.9641410067440029
                                Encrypted:false
                                SSDEEP:192:UQsUiA4m056r3tujxrZr6pzuiFLZ24IO88m:UTUiA4N56rAjKzuiFLY4IO8V
                                MD5:368A68B54CA7C7497952829C34E21930
                                SHA1:C54BCEAB823EFD9656AF05E6283EBE04C4E6D950
                                SHA-256:47A5E0845930632BC20D6B2E9A83737327E35239EE0FAAAB51C6DD108ED48BAC
                                SHA-512:6BB1867F547F00F8691A44CEE5F514E5795FA0150166D1D447F3EDC68B447D070CA55920ECCEC2F1711CCA9E098E40E02B1CF1FA54ADCB433DE8265DA493973D
                                Malicious:true
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.3.7.9.5.7.9.3.9.4.1.3.8.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.7.c.9.d.1.c.9.-.f.a.1.c.-.4.b.3.0.-.a.a.f.7.-.0.0.8.3.0.b.6.c.5.a.a.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.5.b.0.4.9.8.f.-.e.2.2.d.-.4.a.b.2.-.a.f.5.e.-.7.9.6.4.6.9.1.a.5.1.3.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.Y.E.S.O.H.D.K.M.I.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.f.4.-.0.0.0.1.-.0.0.1.4.-.b.b.9.a.-.c.5.5.b.5.e.3.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.f.2.b.f.7.6.8.8.3.c.4.2.f.b.0.3.f.1.8.9.3.c.6.b.5.1.0.b.2.3.6.0.0.0.0.f.f.f.f.!.0.0.0.0.6.7.4.b.d.1.0.d.e.f.1.7.2.7.8.7.6.7.0.6.c.9.8.6.1.f.b.1.6.8.5.0.f.d.d.7.a.2.d.0.!.Y.E.S.O.H.D.K.M.I.m...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.1.7.:.0.7.:.4.5.:.5.3.!.0.!.Y.E.S.O.H.D.K.M.I.m...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YESOHDKMIm.exe_153331ae1e10073ccd2a7c0ea68cb7f6a2d16c_002bbdc9_da78b0e3-d944-4ba7-91d1-ebb23de76c5b\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.9636246440037198
                                Encrypted:false
                                SSDEEP:192:9OsUiATm056r3tujxrZr6pzuiFLZ24IO88m:9RUiATN56rAjKzuiFLY4IO8V
                                MD5:B527E21BB6855EAF8930F0CB073A4A39
                                SHA1:68E09721D6432846376D2657ADAC04D888AE7E7B
                                SHA-256:69F869FE0EFA595FEDCA261F032F31973E1BB00C48091ACC3AAF122F4DD0D538
                                SHA-512:F32565CBA2E17F595B4AF7ED5D6CA565C1E24A6A7BF74D779EE83D03F07CA2476C61CB5FD53479C1ED1644B8C9132683CFE7054FB7737319C2552791755175CD
                                Malicious:true
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.3.7.9.5.8.1.3.8.7.1.1.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.a.7.8.b.0.e.3.-.d.9.4.4.-.4.b.a.7.-.9.1.d.1.-.e.b.b.2.3.d.e.7.6.c.5.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.9.a.7.d.b.1.5.-.f.a.2.3.-.4.7.1.2.-.8.1.5.e.-.a.9.1.8.5.1.3.9.1.b.0.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.Y.E.S.O.H.D.K.M.I.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.f.4.-.0.0.0.1.-.0.0.1.4.-.b.b.9.a.-.c.5.5.b.5.e.3.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.f.2.b.f.7.6.8.8.3.c.4.2.f.b.0.3.f.1.8.9.3.c.6.b.5.1.0.b.2.3.6.0.0.0.0.f.f.f.f.!.0.0.0.0.6.7.4.b.d.1.0.d.e.f.1.7.2.7.8.7.6.7.0.6.c.9.8.6.1.f.b.1.6.8.5.0.f.d.d.7.a.2.d.0.!.Y.E.S.O.H.D.K.M.I.m...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.1.7.:.0.7.:.4.5.:.5.3.!.0.!.Y.E.S.O.H.D.K.M.I.m...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YESOHDKMIm.exe_b67ac8cbe5fb1685c12e1ff4abef3e46d991938_002bbdc9_838e463f-6c55-44a4-9970-6b3fc7f5f0ea\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):1.0342878348567874
                                Encrypted:false
                                SSDEEP:192:RcLolnisUiAi/0N13FtpXtujxrZr6HXdzuiFLZ24IO8xmG:6SUiAisN13Ftpgj+zuiFLY4IO8AG
                                MD5:A3B712D9731332C495AF2D4544088154
                                SHA1:C59F7CFEA2CEB6EFFAE8CC13CBBBF3BD45A62155
                                SHA-256:DE40485E2073D55A18ABB2604B57FD77DA1105AA4ED84A290812B3E95096628B
                                SHA-512:40FBE04A1D609D5AC09C97E7F425412BC57E4D0448E376EC83727DE825C581BFF8A795D3566F093CFFF56089EDC21C0614B5BC87CB706D626758390CF3421850
                                Malicious:true
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.3.7.9.5.8.4.5.9.5.1.7.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.5.3.7.9.5.8.5.1.8.8.9.5.1.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.3.8.e.4.6.3.f.-.6.c.5.5.-.4.4.a.4.-.9.9.7.0.-.6.b.3.f.c.7.f.5.f.0.e.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.2.0.c.2.1.d.0.-.9.2.2.c.-.4.5.a.0.-.a.6.a.5.-.0.b.3.b.f.9.8.9.a.7.a.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.Y.E.S.O.H.D.K.M.I.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.f.4.-.0.0.0.1.-.0.0.1.4.-.b.b.9.a.-.c.5.5.b.5.e.3.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.f.2.b.f.7.6.8.8.3.c.4.2.f.b.0.3.f.1.8.9.3.c.6.b.5.1.0.b.2.3.6.0.0.0.0.f.f.f.f.!.0.0.0.0.6.7.4.b.d.1.0.d.e.f.1.7.2.7.8.7.6.7.0.6.c.9.8.6.1.f.b.1.6.8.5.0.f.d.d.7.a.2.d.0.!.Y.E.S.O.H.D.K.M.I.m...e.x.e.....T.a.r.g.e.t.A.p.p.

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_27ca466ffd7290bef9fefd51faaeaa9b671b21e_012b365d_9e000b64-b17e-46c9-abee-f2bcb937e8e8\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.8878010616187281
                                Encrypted:false
                                SSDEEP:192:1/pMsUoecK/0zcPG1mjJnZr9zuiFLZ24IO8fu:rvUoeZszcPLjJzuiFLY4IO8m
                                MD5:DBDAA6B15D18C900DC5D24F61334FC65
                                SHA1:9492470FEFF77326AE28DB82627E40A305385F99
                                SHA-256:D131DC366C2A59FAFBE9F3F499B4A75EF5536301FEAF0F377D6D9689CC37CA8E
                                SHA-512:B6951C5120F4FA5F01136EA44F22002660FAB9D4503B401A57E29B98DC3F73CA4B17E83E033FEA183493FEBE580A54758A19A5972B6689B099DB6CBD6130F091
                                Malicious:false
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.3.7.9.5.9.0.2.2.6.0.7.5.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.5.3.7.9.5.9.0.8.1.9.8.2.4.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.e.0.0.0.b.6.4.-.b.1.7.e.-.4.6.c.9.-.a.b.e.e.-.f.2.b.c.b.9.3.7.e.8.e.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.0.e.6.a.d.d.d.-.4.9.0.c.-.4.2.d.5.-.9.8.8.0.-.6.0.a.f.5.2.2.e.1.0.2.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.a.4.-.0.0.0.1.-.0.0.1.4.-.2.c.1.4.-.b.8.6.2.5.e.3.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.6.7.4.b.d.1.0.d.e.f.1.7.2.7.8.7.6.7.0.6.c.9.8.6.1.f.b.1.6.8.5.0.f.d.d.7.a.2.d.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_3d328a8faf94a4241bd0f3187864b2c92a157f9_012b365d_8aaeb760-03ad-4d40-a7db-c633119c0d82\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.9309658706368895
                                Encrypted:false
                                SSDEEP:192:EsUoeuI0JsAnbcA61mjxrZr60zuiFLZ24IO8yu:3UoeujJsAnbcAfjHzuiFLY4IO8T
                                MD5:A5DC1B2C13F0FF84D1C6317AD734033A
                                SHA1:F538A926E87DF196C869E697C3E9BDEF48F7D447
                                SHA-256:6238AFCE8A9FE12F5AB32029B1BE96EA86B976369DB920ED3222B6B0E045C964
                                SHA-512:E0853670BB9DA2A72869F82CEFA96C1EAC831A16C2CF4A4A0EDA3999A63FD4D5A9509384F3CF5433F5E920C38F8EC4CC7C938A302875BA6DE9CEEB278EFA6C39
                                Malicious:false
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.3.7.9.5.9.3.0.9.9.8.0.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.a.e.b.7.6.0.-.0.3.a.d.-.4.d.4.0.-.a.7.d.b.-.c.6.3.3.1.1.9.c.0.d.8.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.a.9.5.3.7.c.b.-.6.9.c.1.-.4.6.3.7.-.b.8.b.5.-.0.e.3.f.8.4.b.b.9.e.7.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.e.c.-.0.0.0.1.-.0.0.1.4.-.1.b.8.f.-.e.a.5.f.5.e.3.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.6.7.4.b.d.1.0.d.e.f.1.7.2.7.8.7.6.7.0.6.c.9.8.6.1.f.b.1.6.8.5.0.f.d.d.7.a.2.d.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.1.7.:.0.7.:.4.5.:.5.3.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_3d328a8faf94a4241bd0f3187864b2c92a157f9_012b365d_c78d28d7-2adb-4b67-8c0b-397c281cde3f\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.9309608565477768
                                Encrypted:false
                                SSDEEP:192:dsUoefI0JsAnbcA61mjxrZr60zuiFLZ24IO8yu:SUoefjJsAnbcAfjHzuiFLY4IO8T
                                MD5:655E6284CB64E65B8A71A65509B4FD01
                                SHA1:B6F8BF662F396DEAAF2B720CBFE9BBD11538AE39
                                SHA-256:526FAE737F0983DC6F95A9C7A261DCD719EDBED5E58BDD4B35AB204B99FF0B92
                                SHA-512:1BFC82F1F001300450A496816D62030EC50FB2A9442C0C11F9D8BA833886A10018F93E8B608D31E49365685FF0083C62EFCB78DF2CEFFCD7C5B61DE0BF3CEE34
                                Malicious:false
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.3.7.9.5.8.7.7.6.5.1.5.8.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.7.8.d.2.8.d.7.-.2.a.d.b.-.4.b.6.7.-.8.c.0.b.-.3.9.7.c.2.8.1.c.d.e.3.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.c.e.a.1.a.f.e.-.1.1.a.2.-.4.7.d.8.-.a.2.3.7.-.a.0.5.b.a.a.2.9.a.3.1.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.e.c.-.0.0.0.1.-.0.0.1.4.-.1.b.8.f.-.e.a.5.f.5.e.3.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.6.7.4.b.d.1.0.d.e.f.1.7.2.7.8.7.6.7.0.6.c.9.8.6.1.f.b.1.6.8.5.0.f.d.d.7.a.2.d.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.1.7.:.0.7.:.4.5.:.5.3.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_3d328a8faf94a4241bd0f3187864b2c92a157f9_012b365d_ec3bd3d2-df8b-4c43-af34-0bd3f07cc8b9\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.9308113854249886
                                Encrypted:false
                                SSDEEP:192:ktsUoeWI0JsAnbcA61mjxrZr60zuiFLZ24IO8yu:1UoeWjJsAnbcAfjHzuiFLY4IO8T
                                MD5:5C63FAA56C328205DCEC53C3B707DC56
                                SHA1:C5C634CC5B6254690B577D723D1C0776C1784C04
                                SHA-256:975CBA10C0D10576642E85C4F764D4ABB5BF4FA23B45E4E1FFCC4D60C679C0AC
                                SHA-512:B0A278A3261FFF5EAF341832BAE85C93BDC08787248B047BAEAD56DEAFF047CE65A1174C2C439B919E9311121059DD65EC2F450A99799AD2B4C52E5096F23339
                                Malicious:false
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.3.7.9.5.9.0.2.7.8.3.6.1.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.c.3.b.d.3.d.2.-.d.f.8.b.-.4.c.4.3.-.a.f.3.4.-.0.b.d.3.f.0.7.c.c.8.b.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.b.b.4.6.9.c.3.-.d.2.f.c.-.4.9.4.4.-.a.1.b.a.-.9.2.5.3.d.5.d.a.c.3.3.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.e.c.-.0.0.0.1.-.0.0.1.4.-.1.b.8.f.-.e.a.5.f.5.e.3.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.6.7.4.b.d.1.0.d.e.f.1.7.2.7.8.7.6.7.0.6.c.9.8.6.1.f.b.1.6.8.5.0.f.d.d.7.a.2.d.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.1.7.:.0.7.:.4.5.:.5.3.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_96681bba23e4b313c649b06b74a0d9f844b06fff_012b365d_21b14de8-9abb-49d0-9025-9a35c86b09c3\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.9103114468504307
                                Encrypted:false
                                SSDEEP:192:7sUoeN4056r31mjxrZr6tzuiFLZ24IO8yu:gUoeNT56rwjGzuiFLY4IO8T
                                MD5:D50E8196BD735EAD6125892C69BE23E2
                                SHA1:651590A3FC6FB83CA107B8CCEB8676F12E795E29
                                SHA-256:D23A5A1A3BF0D7B33980AAEC41A1078D1AE0469803507537F9F6DDD604406F64
                                SHA-512:1A6B0905AB97B872E6F51F9134B0A1AB6988580FE5FBD93BDDDCA96F18B2D1EB41A67728B73DB7AD5E4DDC113E7A47C4445E517395EBAD8C72EE3AABB649F64E
                                Malicious:false
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.3.7.9.5.8.6.2.2.8.8.6.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.1.b.1.4.d.e.8.-.9.a.b.b.-.4.9.d.0.-.9.0.2.5.-.9.a.3.5.c.8.6.b.0.9.c.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.f.e.2.c.e.2.c.-.a.6.0.5.-.4.e.8.f.-.b.7.3.5.-.0.c.6.3.c.0.2.9.c.7.6.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.e.c.-.0.0.0.1.-.0.0.1.4.-.1.b.8.f.-.e.a.5.f.5.e.3.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.6.7.4.b.d.1.0.d.e.f.1.7.2.7.8.7.6.7.0.6.c.9.8.6.1.f.b.1.6.8.5.0.f.d.d.7.a.2.d.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.1.7.:.0.7.:.4.5.:.5.3.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_96681bba23e4b313c649b06b74a0d9f844b06fff_012b365d_32570075-cc06-45b8-941c-6750eb28381d\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.9036858696023011
                                Encrypted:false
                                SSDEEP:192:6sUoeR4056r31mjxrZr6YzuiFLZ24IO8yu:dUoeRT56rwjjzuiFLY4IO8T
                                MD5:B2EA820301BEF65328C387B0B6443D0E
                                SHA1:144C1BCCD8CE5C98AE13160030562C269CFAD007
                                SHA-256:68FFDDF4D5D85982137320D679C944416F472271F3688618816F91400A55FF7D
                                SHA-512:1E6DE9533C2C340777263676BDC92ED92F91947449354808378ACD0654032B353D7EC103317CFFE68E0C3E04684BCB40A43A48E2E7D4D5130478CAA996AC9C51
                                Malicious:false
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.3.7.9.5.8.5.5.8.1.8.3.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.2.5.7.0.0.7.5.-.c.c.0.6.-.4.5.b.8.-.9.4.1.c.-.6.7.5.0.e.b.2.8.3.8.1.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.2.3.8.7.b.8.9.-.2.3.e.2.-.4.3.c.f.-.a.7.d.2.-.6.2.5.6.8.8.2.8.9.0.5.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.e.c.-.0.0.0.1.-.0.0.1.4.-.1.b.8.f.-.e.a.5.f.5.e.3.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.6.7.4.b.d.1.0.d.e.f.1.7.2.7.8.7.6.7.0.6.c.9.8.6.1.f.b.1.6.8.5.0.f.d.d.7.a.2.d.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.1.7.:.0.7.:.4.5.:.5.3.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_96681bba23e4b313c649b06b74a0d9f844b06fff_012b365d_76f4140a-28f9-498a-924f-22d0db79fe34\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:modified
                                Size (bytes):65536
                                Entropy (8bit):0.931181096219147
                                Encrypted:false
                                SSDEEP:192:fsUoe04056r31mjxrZr60zuiFLZ24IO8yu:0Uoe0T56rwjHzuiFLY4IO8T
                                MD5:9E798CC39A112CB25A7007B8C989E6D9
                                SHA1:FDC7B2F6AD6EA4E37BAA16525585EAC11DC23F9C
                                SHA-256:70DD8C0F9833A7CF9C9743836BCE38E5AF27DBE2C7B8C212D9C47E3316465BE8
                                SHA-512:CC703D3F6BC6E39149E09C328A42E6E7E2C92C083ABED9E666251B428304C756B69D1DC663EB9B2C3D52832F3A1AAA29DF1B3F4095613F3BEE8EE2E7D2252FDC
                                Malicious:false
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.3.7.9.5.8.8.7.4.0.7.6.6.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.6.f.4.1.4.0.a.-.2.8.f.9.-.4.9.8.a.-.9.2.4.f.-.2.2.d.0.d.b.7.9.f.e.3.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.8.f.1.4.7.5.e.-.0.7.4.e.-.4.3.4.b.-.a.4.3.d.-.f.e.c.f.b.5.2.5.b.d.3.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.e.c.-.0.0.0.1.-.0.0.1.4.-.1.b.8.f.-.e.a.5.f.5.e.3.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.6.7.4.b.d.1.0.d.e.f.1.7.2.7.8.7.6.7.0.6.c.9.8.6.1.f.b.1.6.8.5.0.f.d.d.7.a.2.d.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.1.7.:.0.7.:.4.5.:.5.3.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_96681bba23e4b313c649b06b74a0d9f844b06fff_012b365d_d89bdf94-e0d2-4bfb-9d3f-80e89d2b7947\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.9309815306627104
                                Encrypted:false
                                SSDEEP:192:lsUoel4056r31mjxrZr60zuiFLZ24IO8yu:qUoelT56rwjHzuiFLY4IO8T
                                MD5:9CE807C3715A6A3ED923ADC0250B18A3
                                SHA1:EBD2380A9E5D3C89A376F6E8C8838EC233EF384C
                                SHA-256:02919C6FF10F3287D08B56D6AE91B45820F83F9DAB288DF0F7F088137720A374
                                SHA-512:38250AE93F96A34636B0D9F43567FBCE395EA3F5637B55F12DE758398CADAF646FE36803B2F694BD0D965F5240C23FB6AD0D026EC14D0372766EF7C181E0CE2F
                                Malicious:false
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.3.7.9.5.9.3.8.5.1.3.1.9.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.8.9.b.d.f.9.4.-.e.0.d.2.-.4.b.f.b.-.9.d.3.f.-.8.0.e.8.9.d.2.b.7.9.4.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.2.e.2.8.8.c.e.-.5.8.7.9.-.4.4.d.3.-.b.5.6.0.-.4.a.b.a.d.c.1.4.c.5.e.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.e.c.-.0.0.0.1.-.0.0.1.4.-.1.b.8.f.-.e.a.5.f.5.e.3.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.6.7.4.b.d.1.0.d.e.f.1.7.2.7.8.7.6.7.0.6.c.9.8.6.1.f.b.1.6.8.5.0.f.d.d.7.a.2.d.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.1.7.:.0.7.:.4.5.:.5.3.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_96681bba23e4b313c649b06b74a0d9f844b06fff_012b365d_fa9065ac-9d62-412f-a242-3ed788e1990f\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.9309313483232492
                                Encrypted:false
                                SSDEEP:192:FisUoexE4056r31mjxrZr60zuiFLZ24IO8yu:F1UoexET56rwjHzuiFLY4IO8T
                                MD5:CE8AFF58CD27B4FD76637775437E790B
                                SHA1:278BFFBB8B54FD17097D195382F066D95A3C5B47
                                SHA-256:F70FEC5D15A42E38EA97CC46F807BBE9282E8B4A3AC50BFC750BB02DCA4938E6
                                SHA-512:A7B91CFC6614544D12EF4F0B651321000C488C2B3711B38472D37920FB390E14CF14FF58D504942BD6814C5F3C7CCE8727976401D55E4AEA427351149D7E885C
                                Malicious:false
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.3.7.9.5.9.1.2.9.9.7.1.5.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.a.9.0.6.5.a.c.-.9.d.6.2.-.4.1.2.f.-.a.2.4.2.-.3.e.d.7.8.8.e.1.9.9.0.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.b.2.3.1.7.1.3.-.4.a.3.4.-.4.7.3.1.-.b.d.1.1.-.8.f.a.0.1.1.e.f.c.3.8.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.e.c.-.0.0.0.1.-.0.0.1.4.-.1.b.8.f.-.e.a.5.f.5.e.3.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.6.7.4.b.d.1.0.d.e.f.1.7.2.7.8.7.6.7.0.6.c.9.8.6.1.f.b.1.6.8.5.0.f.d.d.7.a.2.d.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.1.7.:.0.7.:.4.5.:.5.3.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER100E.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8306
                                Entropy (8bit):3.6921957530706524
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJndm6XFi2T6YcDNSU97Za4gmfX+AT2EkpDu89b/RsfTDVm:R6lXJc6Xw2T6YqSU99dgmfdLu/Kf4
                                MD5:5973BDF8BF8D6A99C6D9F791CF180652
                                SHA1:16AFE3762C55BDD97CFB7553305165A034A7ADC0
                                SHA-256:66C200EE1AE801E482BB3854FBA639A3019855D39E1E82C60FA0424621BC8478
                                SHA-512:B88B1B67C1690421D8C198E3E0A19B1D8864517A67BBFA67529EC014C53397E61E5565E5F9284BEE09E4FA4D4D25187776415B882827ED9C29F1AD835CE45845
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.2.3.6.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER103E.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4579
                                Entropy (8bit):4.432805812360571
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zspJg77aI9DgWpW8VY8Ym8M4J5w6FH+q8mwkT8l2And:uIjf7I7JZ7VEJacUkT8lpnd
                                MD5:AF8A8E5659332FC73391F496795BFDB4
                                SHA1:2E0FC6F3AC93DF593ADA574AF1B544737FD279EF
                                SHA-256:A95FCA8B0E168C836307FB93519A8E050B24C5B5E734D6FDD1366CDE47069E6C
                                SHA-512:D79A8FB7786C3CF0B82B531AD382254402975BE64258A8FA5C2514088403898B88D7681A53A55BB65C3B3982AFB6438141FA507CE23A44788C4F00276C69AEEF
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="576375" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER104C.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8396
                                Entropy (8bit):3.69705998412204
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJLm6VUF6YIuT6AxTgmfg5aAjAd2EkpB+89b/fsfKZVm:R6lXJq6VUF6Y96AxTgmfaaAjAV0/Eff
                                MD5:DF85F49A19B1E03DA206CC40CAE8B57C
                                SHA1:B6381A894E7A8D1EB2E34ED988EFC3340AA4D5AF
                                SHA-256:345B057649385FC350D3268726EFE4EE34D5F5E603E55A1272529523777C5F6E
                                SHA-512:E171A1FB117AC850FB5A8F51CE356B87A7EC0B8222AFFD9E1C905603BF86B20623A5C7284318CC232E3DD3107BD4083FA079837CDE6A1FFFD13863E375EC1247
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.4.8.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER107C.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4720
                                Entropy (8bit):4.461595105627064
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zspJg77aI9DgWpW8VY3Ym8M4J5REF9+q8vkRz8l2A3d:uIjf7I7JZ7VnJTEKGz8lp3d
                                MD5:22CCF8F0306A3D6A9515C56D64807524
                                SHA1:DA8C4E16B26D04BDDEFCD6B71D19F213D2B99CE5
                                SHA-256:995258E3E7C1150723826C8A1E03D0E583CBF83E058294370421A832D79296DF
                                SHA-512:CA3C4563938027D48AF4DBDF0EFE8D129B78E1D969FF2C07724F2281E762C5A2B4817FF8B7C3AD98743B97DB589EDBE68B4992F0C3C72C1FC7FA3E004F1D0AA6
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="576375" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER131A.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Wed Nov 6 15:13:11 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):61666
                                Entropy (8bit):2.2044952358467778
                                Encrypted:false
                                SSDEEP:384:yfDie9s3IRmJROw5/UByKZHi4zmbEzoznBoH4n/g9dqRNHG/:yf9s3ImJww5/61C4zmioj9nY90VG/
                                MD5:F9A9812FB97200ADC1FFB3708E37477A
                                SHA1:B1349CBA906C40596F216BAB22471A7D80121252
                                SHA-256:4BFF39CC7B344CA036B346651A4B895F2898C78BC89474B5E056121171E5A01D
                                SHA-512:85D54C6777CBA062C2EB70168D684E4F86F73F863E57BB6F61F8E2E20E2E88769E9FDA45EFA372ABE3DCE84DDBA75F7838B0FE3EC6349BCD15E8A9DE402DEB75
                                Malicious:false
                                Preview:MDMP..a..... .........+g........................l................3..........T.......8...........T...........H...............h...........T...............................................................................eJ..............GenuineIntel............T.............+g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER13F6.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8394
                                Entropy (8bit):3.6963679375074054
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJLV63Uw6YIu96ARgmfgJy2EkpBO89b2fsf8Sm:R6lXJZ63Uw6YD6ARgmfqY02Ef4
                                MD5:AFE13A990EAB9015E6F876730D0ADD30
                                SHA1:48D217944CD24626E06AE67CA6A92038B7402D9A
                                SHA-256:6DAB57D83480088F4DFB3FB7A8CDFE2697D4981154746BD1ACE3E521AC0293A7
                                SHA-512:4FF39BB8DAC2DE00FB11DAD7E7E7A63A20E7881D44FFDC20AB6C192E8AB0F0AC24586E4DB7C8C889E9B6B291DD20495D2D35E4E4F637DC25B29EA7FAA67E6CFF
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.4.8.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER1435.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4720
                                Entropy (8bit):4.462927085192471
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zspJg77aI9DgWpW8VYyoYm8M4J5JEFm+q8vkJz8l2A3d:uIjf7I7JZ7VpFJD3K+z8lp3d
                                MD5:3B66C5BB6E98A3E7ECEF31DE49B6BC10
                                SHA1:AB60357FF202E3584EE3D2625E0EAC38470ED12E
                                SHA-256:B92C48139A0A05D23823913F48ECA05727C3DEC4280F23E9F7E571E7D24B5D52
                                SHA-512:221F48F184472A001DC2EEF1391A81B28FB43CE39877D418FD61F7D60024AC1E6AE32DB332D67EB7DF95CFD439F131E479802A8FC29A65219A8891C1C775BFF6
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="576375" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A2F.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Wed Nov 6 15:13:13 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):60328
                                Entropy (8bit):2.196304426887188
                                Encrypted:false
                                SSDEEP:384:niie9s3IR3qw5Z0yK5Hi45O3GTwznBoH4n/g98baoRSXL:n89s3I6w5W9C45Emwj9nY91ooXL
                                MD5:70A83626D5C67349D0966619E94071F9
                                SHA1:60E84C4F80877468F442BCB146013107AE209A93
                                SHA-256:551D5C247E2723B2AC6A9DCDF09A72733125958B099BD50B8AACD6E9BD4F8344
                                SHA-512:201EE7B5828F096D551042A76495C228AAE047F274950E48E64EAB8DD702162D85CF4AB5CC923D40CB2005DFF81791D579BFA42325D569F042539191C962E581
                                Malicious:false
                                Preview:MDMP..a..... .........+g........................l................3..........T.......8...........T...........................h...........T...............................................................................eJ..............GenuineIntel............T.............+g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ACC.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):6394
                                Entropy (8bit):3.7147391473688693
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJLj564UtYg5aAjAd2EkpBi89bEfsfUsm:R6lXJn564UtYaaAjAVYEEfW
                                MD5:9F5DDCB3493900B1172DEE183A28687F
                                SHA1:B80AD9A944523001D994FA8F6436A4FB89ADD323
                                SHA-256:65E97C8734A538F539EF5854B1DC80B9EA51B467C77FBC583291C3CBF3DEE417
                                SHA-512:A2996013FCD353923FA7EE347495A90104149C08EE8C77927967E2B119AB7A159BE0A8D95AF7D0E16CDD0870E9C87C64DC8C82979A1F742EBA644F59FAE7F924
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.4.8.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER1AEC.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4720
                                Entropy (8bit):4.463395034016806
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zspJg77aI9DgWpW8VYlzYm8M4J5REFQO+q8vkRz8l2A3d:uIjf7I7JZ7V0mJTkKGz8lp3d
                                MD5:2AA1CE38E5E7DD043CB112E5893BBEEB
                                SHA1:25EE15FD78FB14B6E5A8723EF061CD64F4ED26DD
                                SHA-256:1E1D5E4A1A81462D0EC246C732268FF665F5CB79FFC128CDEAC0405DC3E3B135
                                SHA-512:A62CB0FC2AFAED4AC84A47577192D4D9A2C75A793D3ED1A168967685BADA70D30612D89335800371EC2E35D43D65EBA8053AE7A21DDA41737FF5220D81589654
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="576375" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D1D.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Wed Nov 6 15:13:14 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):61764
                                Entropy (8bit):2.21061596339037
                                Encrypted:false
                                SSDEEP:384:XOie9s3IRLw5lN8VK+Hi4rAwznBoH4n/g9qykZY3:X49s3ILw5P85C4rAwj9nY9MG3
                                MD5:1444F764C097D8F0C936096D0D451020
                                SHA1:06C5DD43B065B2434B4D833FC821B944009FCAA1
                                SHA-256:4FBFDC7769022D62F5A128A8C66D0AD4E5CF9EBF406AB890E239D0C1C41B13CF
                                SHA-512:29B0A922485CF3946C26199DA725E01B1FFFFC1E282DE0FEE93F65742C526B44167E5F687FB50D39F300F14EA045D406663283949958EE3C56C6696EB51911F0
                                Malicious:false
                                Preview:MDMP..a..... .........+g........................l................3..........T.......8...........T...........p...............h...........T...............................................................................eJ..............GenuineIntel............T.............+g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DF8.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):6394
                                Entropy (8bit):3.7197831312880836
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJLj6639EYgJy2EkpBO89bbfsfnJm:R6lXJn6639EYqY0bEfk
                                MD5:E77C531F5199F3E285736CBB71B6DE08
                                SHA1:9945AF29FC1869B0FE785D2838086C983824BA49
                                SHA-256:211303106229C6C167B87CE5AB2867E65B75C7DBB989D6C055C850886AA0678C
                                SHA-512:5E856DA58A708C22FB9506F74EBFB4723D809DAC735986763593FD0C1447CACBA047BCFE50AAEB05371B27E2762493C923A110EF5C10BCB7A96E00F0DF08AAB3
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.4.8.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E47.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4720
                                Entropy (8bit):4.463261837767866
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zspJg77aI9DgWpW8VYDYm8M4J5JEF4+q8vkJz8l2A3d:uIjf7I7JZ7VLJDpK+z8lp3d
                                MD5:9FEB08122BCEC8DC0409B371C8F172F4
                                SHA1:3CE9C23BCDEFAAECC657924F0D5DAB4F98DF35B7
                                SHA-256:E6CB2362EA7BD35993D43E14B2A802F4049A0BAB5562435B5973EA56771EC61F
                                SHA-512:323BB6B30A356FE6362D6D60815141A7C9FE95282D3D4D28785ECF3085E5102E8003C14665E87D84F0BBB16D8A40AA621C9C694BFD4DCE316D5C125D680818B8
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="576375" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER233.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8396
                                Entropy (8bit):3.698465445255821
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJLq6bpT6YIuDG6AxTgmfgJy2EkpBM89bVbfsfpvjm:R6lXJm6bpT6YtG6AxTgmfqYqVbEfx6
                                MD5:2963160752AA0155189246590DD3D51E
                                SHA1:97578634FF074D15F20D2C8520C78C9A6CDDF926
                                SHA-256:329014850BB2D4736CC000B3391212E8006272135C2F8B6E61E3EF6DCAFF6E9E
                                SHA-512:C0DEA23A08F4824152EF2BE516D85CE2DA381B7CCFFC70AB315F1D79558B69AB65EF1021E305B68FB353B5DFACC8DAE75E411FFA4955D4B95748010FE75E6A02
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.4.8.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A1.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4720
                                Entropy (8bit):4.463092744283908
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zspJg77aI9DgWpW8VY1Ym8M4J5JEFz+q8vkJz8l2A3d:uIjf7I7JZ7VlJDOK+z8lp3d
                                MD5:0F790124B2559B57EE734137783043CD
                                SHA1:57F8C353B0C8711B8724B8D23C9D303142ECCE57
                                SHA-256:E508D54389BE4A2E717392B3FEB608D1C37AF7CF832F1137C433A175D64BCB3F
                                SHA-512:B88B23976CD50F31390581913FA0E23A806194C24A93FE62506DB060226E13911508C52425A145C81319C977046D3D880F5E01CE2AFB481052AC865FC999D28D
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="576375" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER55E.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Wed Nov 6 15:13:08 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):60132
                                Entropy (8bit):2.192935190965598
                                Encrypted:false
                                SSDEEP:384:N2ie9s3IR02w580yKrHi4uqEvTwznBoH4n/g9QcGobS:NQ9s3IDw57/C4uTbwj9nY9CoW
                                MD5:ADB4231747537745EAA874C2A67BCC7C
                                SHA1:91D8C042CB7F14B41795C91AF597DE0E6752FEAB
                                SHA-256:C4D7252F10E9E1E7B4C693807CCAC6148C92ECD29987FCA28A7D9AC280C7419A
                                SHA-512:B82E073D753F2FCB5844F7320AD4B25BABC7728A92B1C4673BE680F5E834CE6D7CC8309F9F1018356C845008B0DAA8C0DF48E3D0AEF8815CDB76652FB91BD5AD
                                Malicious:false
                                Preview:MDMP..a..... .........+g........................l................3..........T.......8...........T...............d...........h...........T...............................................................................eJ..............GenuineIntel............T.............+g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER679.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8396
                                Entropy (8bit):3.6975943828936204
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJLt6xzGl6YIuS6AxTgmfg5aAjAd2EkpBB89bWfsfjym:R6lXJh6xz86Yc6AxTgmfaaAjAV9WEfX
                                MD5:689BB5D47721B5CD1ACE7209221573E5
                                SHA1:E699D589F3B26AA2E8580194B8E2EB277255F7CE
                                SHA-256:D660A73691F56EC28050DC3767F6CA40F3DC662197B23F2E1E98CD1FA7B9B353
                                SHA-512:32D80EF465390131B423F4F7E17EFD3043645288E3F175B320569A1B552FDEFBC5C71D47F38F75EE85770C06FFB79937986224C3E93D1E7DA0CD79D8673C5004
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.4.8.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B8.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4720
                                Entropy (8bit):4.457994256438433
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zspJg77aI9DgWpW8VYeYm8M4J5REFZ+q8vkRz8l2A3d:uIjf7I7JZ7V+JTIKGz8lp3d
                                MD5:7FA1D2A80AE35518519C86F6794699E0
                                SHA1:C8121ACEA6ED143FA6147CDDF44A43A133297F41
                                SHA-256:87F52E7F9A56F37117A4C6612240271DFB7BFDE0274456214EEB2613770ACA52
                                SHA-512:ACDCCFADB61DE6DD9DB5FCBE6A690EEA0AD5A13BD53FE46887EF7AC4E7B89C9956884E74B7F7A4314DDABB23D0312E7F6A0204FD7319A8D4CD11C7DA67FAA45E
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="576375" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER937.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Wed Nov 6 15:13:08 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):61568
                                Entropy (8bit):2.202969362307641
                                Encrypted:false
                                SSDEEP:384:wrnDie9s3IRuw5/RByKjHi4kBmjSCDYewwznBoH4n/g9L0mcNtW:w79s3Iuw5/73C4Ym+ewwj9nY9H+tW
                                MD5:FB29E89A557570C1EE0A737578406BF9
                                SHA1:B372878BCCED25EF15AEC091D02849BA62F07F1D
                                SHA-256:5C037B623F2869726782FF04B492E4E6415D17CDAC0EED8F91F52F79FFC85F10
                                SHA-512:FC4D6F19127C4A900E6D0DFB86A713830FC23DE82C6BECCC3F0623E3373AAF729E0794EC743AE64BA5E9312829AE58C44632BC31866EDECF4F0257C92F23B768
                                Malicious:false
                                Preview:MDMP..a..... .........+g........................l................3..........T.......8...........T........... ...`...........h...........T...............................................................................eJ..............GenuineIntel............T.............+g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F3.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8396
                                Entropy (8bit):3.6975875364052273
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJLt6bUf6YIu56AxTgmfgJy2EkpBB89bWfsfyym:R6lXJh6bUf6Yn6AxTgmfqY9WEf+
                                MD5:80319B07E0C0EE21541FE9B0380211D9
                                SHA1:FF52A0621260C5F862DB331552D3B1A6526A736D
                                SHA-256:FC9004C3EE47792B4A9EA524976B967DB60B010AE282F9D57223E60AA87C0256
                                SHA-512:87D982A7F85D6A911BC0807B1EDE04D8A6074307AD9FE7A5891783F1C5C6BAABC8875AA80C30E0F1C1A960BA7AB35291B65F73D96320133F723616EC7D87F3D3
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.4.8.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA23.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4720
                                Entropy (8bit):4.464591360488211
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zspJg77aI9DgWpW8VYzYm8M4J5JEFTV+q8vkJz8l2A3d:uIjf7I7JZ7VPJDoVK+z8lp3d
                                MD5:6AE2FAB32565B6A2AD1CF101FEF3CD61
                                SHA1:23DA2BB3A1011EC68F5BF21F9E93A82D01B458E5
                                SHA-256:53ACB4464CAF5D2B31FE0ED083FB1454A8F13484F4F60E2636873F655BFB819F
                                SHA-512:72864F2377C5AF0478D721A01D2339CCCA6A72431262CC2EB06372C3CF4EA1947B099A864243DB626C5DD0811D805CA5CAC0EC6F32830185AC17252A5BF74331
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="576375" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1D9.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Wed Nov 6 15:12:58 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):60054
                                Entropy (8bit):2.3306840909833326
                                Encrypted:false
                                SSDEEP:384:y5sI9P2YPjowfnbB6ZXKCKV93rI1A4WwlHs2nzygDE0GS:W9P2OjowfnIKjIZWqHBugTG
                                MD5:E83804AC1D34C42CEFF493F9D23AECBB
                                SHA1:13F4EA1CB65BA9DA497353D01918CF5F8B7477D1
                                SHA-256:E5E6DF15D2CB5DBD3339EAC0B1804B779CE0727EF30A9642C08CC055552BA4C8
                                SHA-512:AF016BC192F630A51D426C453F147F1B4913E5A50B3900D8182DB384466B1DEA23DACD81831A0DF6A544BF54EE8DBBE3957645492D43D0823132EB6B5B7C8030
                                Malicious:false
                                Preview:MDMP..a..... .......z.+g....................................t....2..........T.......8...........T...........H'..N...........|...........h...............................................................................eJ..............GenuineIntel............T...........x.+g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE2A5.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8414
                                Entropy (8bit):3.703035370365209
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJw2E6QJz6YcDDSUJZhgmf6Jy2EkpBn89bSTsf6Gm:R6lXJK6S6YUSUnhgmfQYTS4fy
                                MD5:AC2B85C791EBCCC4925EA162ABB4F343
                                SHA1:6DCEFCFE22119E32DEB3946F737E172FAE47D6C0
                                SHA-256:7FE67124EDA74205DA2A02D909D402E456A59FD0B52BC7BDD60EF0A34BA3C89C
                                SHA-512:117394EFC1331E87285711FE4D1E02F52FBFADCD2CF67286A47B408D3FFDFC8A003BC7E2365C9FC8F13540682DB800FD97021D1ADCB568B65C906CD623EB9D75
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.0.4.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE2C5.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4720
                                Entropy (8bit):4.503787230163799
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zspJg77aI9DgWpW8VY0Ym8M4JtJEFJT2+q8vKJiZ/2Chdd:uIjf7I7JZ7V8Jno2KEiprhdd
                                MD5:F8D650D8AE547DDA724AF33FBC451AB9
                                SHA1:ACFD76EBF2316B28E277CC7BF5320E59A1AF6CFD
                                SHA-256:C4C3FC54CE68F1E22689FE8B5CAA1FD8F8DFB39BEB9E79C6A39F679C6BE1E67C
                                SHA-512:2C3E8166F70736A339E0BC0D3881AC1E6A79A0451A173607B5B80FCB093292593592904A7ED93D80EFEBCEF08BBA395B7BBCC5AB1A565A63FBD1305E2C0A99AD
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="576375" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE498.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Wed Nov 6 15:12:59 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):87902
                                Entropy (8bit):2.3613202023561266
                                Encrypted:false
                                SSDEEP:768:zI49s72jtkwfNxVen0SbKfcIZWSja+ACG:Ky3xAnlKUDSja+AH
                                MD5:3ED9D89811C37E47DB3664EA8B0B67C2
                                SHA1:5D86E41F36376E6D1E756404AC0647FF7C2A8818
                                SHA-256:797ECAF7584C0E527AEBDC7ADE776DE1A0C76FEFBB039C37C0475D78BC097C90
                                SHA-512:70B54EEA1732C15B1D8CA74DF71DB624E85E6EA2C58825AD53500FDDD482E8383B082767A0E8CA49F6069575ED756F675A5D3F0E5194C1BDBBC0DCFC996C6257
                                Malicious:false
                                Preview:MDMP..a..... .......{.+g............T...............\.......d....<..........T.......8...........T............,...*......................................................................................................eJ......h ......GenuineIntel............T...........x.+g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE535.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8412
                                Entropy (8bit):3.7017134272597323
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJw2464PK6YcDmLSUJZngmf6Jy2EkpB989bbTsfBJm:R6lXJG6wK6Y7SUnngmfQYJb4fe
                                MD5:150F5A11974D898BC4593A4637856307
                                SHA1:9C06792DC90B13BAEE0722FA92779A80A63E2AD7
                                SHA-256:A51C9689E8368F520673CBA74B358C12B4EC784AC08D903D3D0CC91893EF375E
                                SHA-512:B98D33AC1E3D126EB61428EACD75FD132B3835209ED347D653FB1829D39AFDBD3881CE16303664D6C264C5099D6E0913639DEEAB95913CB3E3AEFC71BB4E237E
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.0.4.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE555.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4720
                                Entropy (8bit):4.504186593217749
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zspJg77aI9DgWpW8VYsYm8M4JtJEF0+q8vKJiZ/2Chdd:uIjf7I7JZ7V8JnRKEiprhdd
                                MD5:F7BDC3A9DA361E59BA706D91A979B6B8
                                SHA1:BD3711DD3A2CE9D9039A94E5BE105CE9CD70584B
                                SHA-256:C54AD31A31967C986A07468C40737CA12D6547BB28316D9AB1738DD6059620A6
                                SHA-512:289A031122A2956B05C3BD5A9F90144F2F511E66AF915AF715D13C964B7C6DA1F3A01E665D3BA50496A0653A4E19D8F827F7180A9005B28FF4C884AD721287C5
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="576375" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE738.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Wed Nov 6 15:13:00 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):86206
                                Entropy (8bit):2.3410330195892475
                                Encrypted:false
                                SSDEEP:384:vkP4L9s7N+wfFa8BBSn+EDZ/LMiS5qKEcI1A4WwdjSdgY6EpIdLkt9VvRh:wQ9s7N+wfFj3S+KfcIZWSjcAdLkf5
                                MD5:2B1F24ED8E7B457354408E1037D37145
                                SHA1:905CC484C8AB2C3F1AE62CCD36501A41AADA4B10
                                SHA-256:A9726AC3D66134C47DE7ACF91AD007E5649317864FD7CA03FB6D2EBE7A2FCB10
                                SHA-512:98EDEA03C2F01B84ECBB76B46976150D7493DF80ED5E0EA6981C5E248E199B45551B97EC4F5EB3B5290216EB4734BB0AFACBCB7654BCEF550C9484C1BFB63F3D
                                Malicious:false
                                Preview:MDMP..a..... .......|.+g............T...............\.......T....<..........T.......8...........T...........H,..v$......................................................................................................eJ......h ......GenuineIntel............T...........x.+g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE813.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8412
                                Entropy (8bit):3.703037659408988
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJw2v6K6YcDaSU/ZYQGgmf6Jy2EkpB089bOTsf4am:R6lXJh6K6YdSUxGgmfQYSO4f0
                                MD5:BCF2BF3721FEC2DE80330B518553201D
                                SHA1:56F9AFE7C7588511C6C7FC332228C9AAC9FBC9B9
                                SHA-256:3A10FC0F874F6B36B2792FB6D308AE933B82E5643121CE5F957FEAB58587A8F3
                                SHA-512:9D0DB14350533CA388AD69BDC750EFB3D596F8D3F44B8AE1BEC00FE8CE07B898AA287D23F1C51DF9CCB662CFCA95728130D3A4CA172B87A55F51C22A2E9A4EA2
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.0.4.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE834.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4720
                                Entropy (8bit):4.505667299511067
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zspJg77aI9DgWpW8VYLYm8M4JtJEFrk+q8vKJiZ/2Chdd:uIjf7I7JZ7VTJnskKEiprhdd
                                MD5:AA6CD399494BF45AE0EA7042196CA2D3
                                SHA1:E44506422FFE06D20C4F121C363DD9DF9B0CA6B1
                                SHA-256:50B462F8FACF0FFE12BC07E98AFBA143B725752E62327D6C0764F8201E8F9BF8
                                SHA-512:6D1E2624B53AE40AEADA2EA56BF76B786974937E5681F2AFAD98F41C6E114E2A651CD28CC4F87AC292BFC522E6AC39B409E1EB121758537F5BA40A15DCA6AE3A
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="576375" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC77.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Wed Nov 6 15:13:01 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):86058
                                Entropy (8bit):2.3590648812391026
                                Encrypted:false
                                SSDEEP:384:LmgZL9s7mfwfRkZXI8+TnJyBfwiS5qKEcI1A4Wwdjr3DSAVzz0quB6:x9s7mfwfRY6JyBdfcIZWSjpuqu
                                MD5:5FAE835A3E924E9C341ECFA2627CAD0C
                                SHA1:B28E6517F8309EAB6ADA026D9A254848C9BD2415
                                SHA-256:C31E00B4E2D5AD26BFC575026C3B73D4294F1A72B027EE9DDC30CA34CAE5B02E
                                SHA-512:3A479C3F8C9B4F980F2814154FCDD5F5216CECB64BE1D153EAE19360AFEA24DE2AA285086A8C80B3903D24FC50ABDD85D879E987668CD3AA10751BE9820C4E1D
                                Malicious:false
                                Preview:MDMP..a..... .......}.+g............T...............\.......4....<..........T.......8...........T............,..j#......................................................................................................eJ......h ......GenuineIntel............T...........x.+g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERED34.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8412
                                Entropy (8bit):3.7040717315174403
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJw2i6f6YcDuSUiZYQGgmf6Jy2EkpBL89bXTsfddm:R6lXJc6f6YZSUiGgmfQYfX4fW
                                MD5:14460079205F7B9B6AD4D6C751EB97F2
                                SHA1:9065CB15186387EF7417B27ED974CAC471592B07
                                SHA-256:18AA54A0038C637FC01B474507F21BE467C0BD881B1200D1F31F06A0CCFE0BC3
                                SHA-512:082F307FB2B288FEF13AB6A6704F0BDDF5A8335CB5258F3EE44E2EE2D6C5376B4EC6C9685E831702188B40BC985A67492A9457E96CF1D6F418712F187CFE276C
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.0.4.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERED64.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4720
                                Entropy (8bit):4.502704211479454
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zspJg77aI9DgWpW8VYcPYm8M4JtJEFbO+q8vKJiZ/2Chdd:uIjf7I7JZ7VlSJnHKEiprhdd
                                MD5:C42C8C52EAA5FAE86820D7234EE05E56
                                SHA1:0D7F77899E4DE2AE687953CA180A097DB3D91319
                                SHA-256:E0B42573AA8D7987833FFCB2296FCDFE33D1FF1B6F1B2DF4404A2F398DDDFF85
                                SHA-512:62125CF8C0EC26C46918846BFAAA6FB07C5B9E400B3EC0DC66697476D9FDAF20F9C0CE18382142F74241E2FC1329D2E0EFFCD1017C35CA65A124264137DCBCDA
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="576375" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF17.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Wed Nov 6 15:13:02 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):93048
                                Entropy (8bit):2.1134411401304787
                                Encrypted:false
                                SSDEEP:384:Q8BFNfTL9CPqAwf4PsiqcZHMr8BNAyBpyoHSbI1A4Wwdj7szLkvj3Kk:NH19CPpwf4kiqRobAyBp9SbIZWSjsKD
                                MD5:4A4663E791A010DEF48457CF3AE7AD00
                                SHA1:77EFE661FFCBB565029257CFC9F920BB3F42DA41
                                SHA-256:9FD72E3B686B3BFF08AB93C1C98D09CD2224672C642E3DBCC290CCCE0E816ED1
                                SHA-512:6316D09A9E6208AB57C0F98D5C4EE205A90262F7654A5BE35F4572DB4CBE19A7FFBCF96E76E4CF9FAA69339AFAA87DEE04AEBF64AD5E6F053C5C068203CC4510
                                Malicious:false
                                Preview:MDMP..a..... .......~.+g.........................................B..........T.......8...........T............-...=..........D...........0 ..............................................................................eJ....... ......GenuineIntel............T...........x.+g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WEREFB5.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8414
                                Entropy (8bit):3.7039353174441323
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJw286l6YcD8SU9PZrfjgmf6Jy2EkpBP89bcTsfA0m:R6lXJi6l6YbSU9h3gmfQYTc4fC
                                MD5:4A133A44E5F5CEF47A33B4EB141CD55F
                                SHA1:40ADE3760E79C4E30EBAB590D0C5E9A38A8E4922
                                SHA-256:F99F9F0336FA7266B860A9496F2C1F2DC824E7EF659FB06348A1F9A6AB49D60C
                                SHA-512:D37581A1185E88518E2AE43D641894412D1EE06CEC4B686290989DFF5873AB1B7B14F15F42EB43DFC45C852901C12D920451C84D9178E21CE42F6CB8F9B33AD5
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.0.4.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERF013.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4720
                                Entropy (8bit):4.503581059462427
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zspJg77aI9DgWpW8VYnYm8M4JtJEFc+q8vKJiZ/2Chdd:uIjf7I7JZ7VDJnhKEiprhdd
                                MD5:79E8AC04E89FBA97C0C224E2C4D1606E
                                SHA1:ECC5444F2F81BAEC103F4403B3ECFEDC0FDB04A0
                                SHA-256:CA709BC220E623112ACA80E0E344E52E6D68E2FBF9CE3AE9BAF2C9BDE4746CEE
                                SHA-512:F05D77060AC0D5C9BF14C01C1762D9BF2C7301FF68F9CB930B4443365BE60A3B85F168BD35D75DA5F8BD8A36F4CE8B005C15B22AF0937CBED965D0537B852C42
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="576375" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1B7.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Wed Nov 6 15:13:02 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):92624
                                Entropy (8bit):2.127066583259926
                                Encrypted:false
                                SSDEEP:768:ov9CPawwfPt2ZQ/AyB+v9SKIZWSj6JnfqSr7lm:oECcOoyBaSKDSjOnfqSQ
                                MD5:272E7F5447B62C55E6517F8B1447E4DE
                                SHA1:1114E32CA71788E7A240230EC0AAB53EA240041C
                                SHA-256:2A2139ECFBBACDEF852133FFCA7FE2CF7B6827CCAC6364B03A9F18B39F897860
                                SHA-512:5ECEC747E6910F2597E376DF26D3F902507BDA367D3D88487A7AC79BF068CBE8F19218257E960D2AF7E0979097B17CE66B5F6B7CB5A014FE951B18D6D1DBDFE1
                                Malicious:false
                                Preview:MDMP..a..... .......~.+g.........................................B..........T.......8...........T............-.. <..........D...........0 ..............................................................................eJ....... ......GenuineIntel............T...........x.+g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERF235.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8414
                                Entropy (8bit):3.7023090298637418
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJw2j6bn6YcDGSU9PZrfjgmf6Jy2EkpBa89bcTsfD0m:R6lXJt6r6YRSU9h3gmfQYgc4fF
                                MD5:C600AE484C94EB2AFB063E2151479895
                                SHA1:CAA1F30495444BCE0E0F2433147FA33469C3041E
                                SHA-256:F363C506A3FB74BA3EC2F85E994ADF63AAC378B797704AAFCD4520D9C518C413
                                SHA-512:1985AADFF1100A1D2DFD949F8284B23CE897169FB911EE07ACA100C27E7725030C48C3A3FFF4072347463AF01059BC2135737491069D98AC535AD6093BC11AEC
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.0.4.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERF255.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4720
                                Entropy (8bit):4.503511447514104
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zspJg77aI9DgWpW8VY95Ym8M4JtJEFfRs+q8vKJiZ/2Chdd:uIjf7I7JZ7VaoJn+RsKEiprhdd
                                MD5:5D3260CD4A2E478F52D04709E1C21874
                                SHA1:CC401321582848D8ADC1E91FB82D0DFA44588A6C
                                SHA-256:D98AFF0D0F7713B251171EBAFAD29E648961CFD7BA6314E198231F8DC519195F
                                SHA-512:B7F3870189766DF1FDAFF5A8B9026EEDB495403D74F11A0A2233159717ADCFFBDC5D3E832296E2EA825298020905C580900776B5A3FC8339AD535D6440330375
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="576375" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERF32.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Wed Nov 6 15:13:10 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):60230
                                Entropy (8bit):2.195060786247451
                                Encrypted:false
                                SSDEEP:384:hL6ie9s3IRzQ2w5r0yKNHi4Q362wTwznBoH4n/g9jT+EHo2SKH:hI9s3I9w54BC4glAwj9nY9long
                                MD5:CA4AF4939CB8B6CEEAD999B4F9DD0AFC
                                SHA1:3633750A7DBAA7D9DD8DCCE5F0BE388D8FE4C962
                                SHA-256:7E95DAB70A007134C7043A7630B8568EF6F7270F7C1EBA23C4E4D8A0143F47C0
                                SHA-512:CC73467912CF0E7450FF40E9D98F768514AEEE40B7A963EEEF6C74AC42EC6820C2966C8FCD873826802B37B8F1377C8E6C550F04613CDC9AB7B66803658E38FA
                                Malicious:false
                                Preview:MDMP..a..... .........+g........................l................3..........T.......8...........T...........................h...........T...............................................................................eJ..............GenuineIntel............T.............+g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERF42.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Wed Nov 6 15:13:10 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):28486
                                Entropy (8bit):2.599413544891398
                                Encrypted:false
                                SSDEEP:192:Dg8h3bXsCMXuG9ccHOj6Hmb5jT6H3k4wdI3HIjRF2Lb1/X33L43i:ruCvG93ucW5jmx7SRFm/XH0y
                                MD5:6619B418F902DFFD5E506DA7AF26FA0C
                                SHA1:048309A335BBB9D1E527550052A9F0638D1CDB30
                                SHA-256:49DA76E899E34A96BE3A3853744BB89FE5720FD152463A19EDE850BC1960B6A4
                                SHA-512:EF5DACB0BA1DBC5164D07B80213CEA1D161DF95AB9B778B29EA656926C58E1585EBFB05ED13517249D87C5F232CBB70890E3FC64D4E088F57D905DDF0C35D2EC
                                Malicious:false
                                Preview:MDMP..a..... .........+g............4...............<............$..........T.......8...........T...........0....X.......... ...........................................................................................eJ..............GenuineIntel............T.............+g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERF8FB.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Wed Nov 6 15:13:04 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):42562
                                Entropy (8bit):2.664849985638633
                                Encrypted:false
                                SSDEEP:192:BUepnX1RXt9KymXwM8O3Xwfourat04P7xHIj1jD8bllULuLml/bUUqX7NiDfTrdj:eIH9KyX2wfOt04jA1jBCATXmBcj
                                MD5:3B0FBEB54B4A024BA7B6A8C6E4448B4A
                                SHA1:758F77BAEA6381554C2736132F5EE083D38665BC
                                SHA-256:CD3B32380D3AEE40AD1EDE9EF0C6A2D53F1E8ED19EF5D90142A6E621667287CF
                                SHA-512:599DC0CA5A9F884334A61364EDD44B24F67E91A3FB3A0BF1CE06D0389918126FE617B0FA2D309FCD5456403270D24D68F90FF34116F6E1C93789B048A707CC3F
                                Malicious:false
                                Preview:MDMP..a..... .........+g............4...............<...........X0..........T.......8...........T...........P3...r........... ..........."..............................................................................eJ.......#......GenuineIntel............T...........x.+g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA05.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8316
                                Entropy (8bit):3.7007794627347863
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJw226Ip76YcDCSU9f2ZMgmfZ8Aa42EkpDg89bqTsfMIOm:R6lXJo6Ip76YlSU9+Mgmfta2cq4fp
                                MD5:9EB562E779C251F5310577A68393B2FE
                                SHA1:0FAD4929C0C61890163B0F3D1294B6A06910804B
                                SHA-256:715D5A50DD55BFFAC853CA07C396E97944977EAA4EC79914609A44266776C389
                                SHA-512:67A0D44D17C85F9702E4FCF2DE9DC28DF805C0D96E94D1CA157047A276D0702BC2D6D0FBA871DD74DD4C3BBABBE814D61C5D470F8D3376850130D7981B255A9B
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.0.4.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA25.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4579
                                Entropy (8bit):4.4924092809453935
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zspJg77aI9DgWpW8VYkYm8M4Jtm6F/+q8SwIZ/2Chdd:uIjf7I7JZ7VAJY0kIprhdd
                                MD5:42CA60120BF208C2143479E3B406A7F5
                                SHA1:E0E6584DE10872806BBEBBBEF7FF42F8AB70C38B
                                SHA-256:CDA7189F41C2832F24BF4C8E4093E9938AA54E593E4206043C312B672103CD74
                                SHA-512:32F1B9F5624C79196BA6EE0DE5D6E5FBD3F8EC2101AB7218D9A2D7C271561DD5FADAA90F155694BECF27571CD31E0AA8962EBBC8AB4B1404CDCCBD735C25E267
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="576375" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERFCC3.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Wed Nov 6 15:13:05 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):56314
                                Entropy (8bit):2.231616326512505
                                Encrypted:false
                                SSDEEP:384:qr8+ar9PNTevw5W7XXuuWkvHiosvM7znB34n/g94ryru:qr8L9levw5WjXuu3CvvM7jinY9Pu
                                MD5:2A01D4CE3A5710A5A4ADDA87CFC3559A
                                SHA1:153818367D9989EE4BE97038AEF8A40022044997
                                SHA-256:F1B06867CC924A376EB9926A4DA1C401AF8F8CAA7A406BA987BD5B9F9E263E65
                                SHA-512:3DAB9F5087061BA0FD8E66CDE5A2031C99A01486027E3859BD29E94CC83615F14C9498D52B6F191B1C2C0300CE0882F4F6320D645F624F5255122054FABE9C0D
                                Malicious:false
                                Preview:MDMP..a..... .........+g....................................t...............T.......8...........T...........@...........................t...............................................................................eJ..............GenuineIntel............T.............+g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD41.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8394
                                Entropy (8bit):3.698700481081869
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJLh6WmYre6YIui6AxTgmfgJy2EkpBy89bzfsf3Rm:R6lXJd6Wm16Y86AxTgmfqY4zEf8
                                MD5:5D3D3E7D332D6562B1DE779C57F26EF0
                                SHA1:242657F261317A809C668A34B58D349F90D15AD1
                                SHA-256:3619A4A09B56D005550A996A65B08527823A458C9FAA9A102CBD61ED5E5D2B5F
                                SHA-512:6433AC928FC12B0D7D124640B6906AF018DD83B3AA40754299A3A9FD778021038ABCB5D7331DBA93A52878BBF6A37815578D51CA6C2C3591B1B37D95E7164BB0
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.4.8.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD90.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4720
                                Entropy (8bit):4.464980584140717
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zspJg77aI9DgWpW8VYjYm8M4J5JEF1e+q8vkJz8l2A3d:uIjf7I7JZ7VPJD5K+z8lp3d
                                MD5:3C8942D00D5577B6A616831437C3F1C0
                                SHA1:B71B668AA6EE99FB8FE6F7C5B12C5916D50EC251
                                SHA-256:46147681ADFB5A7960F88B2451AA3DC9C46CAEA36DF0DCD707110141A8B4BB90
                                SHA-512:4751EECE2F87CB616C2FF34B3805B17BD8E794B7E5DF9E9266602AD586B4A676B3CBC72262AD34E03DE63B48A194A3D14DA5996B3357303E4F2A178BD270B6A3
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="576375" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF54.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Wed Nov 6 15:13:06 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):62322
                                Entropy (8bit):2.235313560880451
                                Encrypted:false
                                SSDEEP:384:a3X2Zb79XkPctw5c2xuKZHi4ommaowonBoH4n/g9by7DXROs:cX2l96ctw5JxhC4omiw29nY9yDhOs
                                MD5:8F173BCA67E78421409EEBB88923B65B
                                SHA1:99ADA5CA142813D69319535AC5577797D9163A83
                                SHA-256:3F8060B994106E9955165DB960FCC1257C75B5A07BCFD18408B211C0404A5B2E
                                SHA-512:E0D3B24E9155275A4B412D5455A7E5475B337B46EB5404DB013FF7285BEBE267BEC7B13226C290E5B8AFCDAA613ED41D37C8D6C61CE26CF928FEC05D24F5FAB9
                                Malicious:false
                                Preview:MDMP..a..... .........+g........................(...............62..........T.......8...........T...........0...B...........$...........................................................................................eJ..............GenuineIntel............T.............+g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Roaming\yavascript.exe

                                Download File
                                Process:C:\Users\user\Desktop\YESOHDKMIm.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):507904
                                Entropy (8bit):6.886236272449968
                                Encrypted:false
                                SSDEEP:12288:ArfDxZYCAZETh2FbGxS/nLTekXzLZCU0k:AvvQi1YnLTznr0k
                                MD5:F9294A439C591BBA283F7C6D9ED5AA37
                                SHA1:674BD10DEF1727876706C9861FB16850FDD7A2D0
                                SHA-256:DF25FA5D95355DB39284DA9C5E28BC040305FB125683A470B92C7A4CC225645C
                                SHA-512:D6625B8C3A67AEAC1265241C2388B9C25DD6DD5FE93C0F78C115DD24CAE4189E1232254063B3DB17409757CFBD3765F8F5AFBDA236B41721B8088B52DAD2E1CC
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 61%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........\..A\..A\..AB.tAG..AB.eAB..AB.sA8..A{..A[..A\..A(..AB.zA]..AB.dA]..AB.aA]..ARich\..A........................PE..L.....e.............................^............@..........................0.......W..........................................P.......HI..................................................@H.......G..@............................................text...j........................... ..`.data............\..................@....rsrc...HI.......J...`..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Roaming\yavascript.exe:Zone.Identifier

                                Download File
                                Process:C:\Users\user\Desktop\YESOHDKMIm.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:modified
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:true
                                Preview:[ZoneTransfer]....ZoneId=0

                                C:\Windows\appcompat\Programs\Amcache.hve

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:MS Windows registry file, NT/2000 or above
                                Category:dropped
                                Size (bytes):1835008
                                Entropy (8bit):4.396543594388198
                                Encrypted:false
                                SSDEEP:6144:El4fiJoH0ncNXiUjt10qWG/gaocYGBoaUMMhA2NX4WABlBuNb4OBSqa:84vFWMYQUMM6VFYl4U
                                MD5:82F1DE495F0F95D0C91B4D3353E20B5D
                                SHA1:D9E364750F7C806DB5A50212EA2924FE405FAE1B
                                SHA-256:CA30351A07CDB2D0BFCD2E85A55AC757F468A315E910122E69C3C507379F624C
                                SHA-512:402978E92F67D2E774985799D5A967CCE701A0DEEF10C0FB2599441EB38B4958A3297AEC3781DCBE6F6BA2B655A0B1CA8B26A8A12668B75F35364D262E40FCC7
                                Malicious:false
                                Preview:regfO...O....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.2/]^0................................................................................................................................................................................................................................................................................................................................................8i........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):6.886236272449968
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:YESOHDKMIm.exe
                                File size:507'904 bytes
                                MD5:f9294a439c591bba283f7c6d9ed5aa37
                                SHA1:674bd10def1727876706c9861fb16850fdd7a2d0
                                SHA256:df25fa5d95355db39284da9c5e28bc040305fb125683a470b92c7a4cc225645c
                                SHA512:d6625b8c3a67aeac1265241c2388b9c25dd6dd5fe93c0f78c115dd24cae4189e1232254063b3db17409757cfbd3765f8f5afbda236b41721b8088b52dad2e1cc
                                SSDEEP:12288:ArfDxZYCAZETh2FbGxS/nLTekXzLZCU0k:AvvQi1YnLTznr0k
                                TLSH:DDB4F0C1B492E4B0E9904271EC399BF6177BBC7A9938598B33143F5F3D722D25A76202
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........\..A\..A\..AB.tAG..AB.eAB..AB.sA8..A{..A[..A\..A(..AB.zA]..AB.dA]..AB.aA]..ARich\..A........................PE..L......e...

                                File Icon

                                Icon Hash:8169693147014541

                                Static PE Info

                                General

                                Entrypoint:0x405edb
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                Time Stamp:0x6594D5EB [Wed Jan 3 03:35:07 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:0
                                File Version Major:5
                                File Version Minor:0
                                Subsystem Version Major:5
                                Subsystem Version Minor:0
                                Import Hash:eaddeabe4dc2146d8bbc6de524b45db8

                                Entrypoint Preview

                                Instruction
                                call 00007FE7F0D71066h
                                jmp 00007FE7F0D6CDCEh
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                call 00007FE7F0D6CF8Ch
                                xchg cl, ch
                                jmp 00007FE7F0D6CF74h
                                call 00007FE7F0D6CF83h
                                fxch st(0), st(1)
                                jmp 00007FE7F0D6CF6Bh
                                fabs
                                fld1
                                mov ch, cl
                                xor cl, cl
                                jmp 00007FE7F0D6CF61h
                                mov byte ptr [ebp-00000090h], FFFFFFFEh
                                fabs
                                fxch st(0), st(1)
                                fabs
                                fxch st(0), st(1)
                                fpatan
                                or cl, cl
                                je 00007FE7F0D6CF56h
                                fldpi
                                fsubrp st(1), st(0)
                                or ch, ch
                                je 00007FE7F0D6CF54h
                                fchs
                                ret
                                fabs
                                fld st(0), st(0)
                                fld st(0), st(0)
                                fld1
                                fsubrp st(1), st(0)
                                fxch st(0), st(1)
                                fld1
                                faddp st(1), st(0)
                                fmulp st(1), st(0)
                                ftst
                                wait
                                fstsw word ptr [ebp-000000A0h]
                                wait
                                test byte ptr [ebp-0000009Fh], 00000001h
                                jne 00007FE7F0D6CF57h
                                xor ch, ch
                                fsqrt
                                ret
                                pop eax
                                jmp 00007FE7F0D6D58Fh
                                fstp st(0)
                                fld tbyte ptr [0046108Ah]
                                ret
                                fstp st(0)
                                or cl, cl
                                je 00007FE7F0D6CF5Dh
                                fstp st(0)
                                fldpi
                                or ch, ch
                                je 00007FE7F0D6CF54h
                                fchs
                                ret
                                fstp st(0)
                                fldz
                                or ch, ch
                                je 00007FE7F0D6CF49h
                                fchs
                                ret
                                fstp st(0)
                                jmp 00007FE7F0D6D565h
                                fstp st(0)
                                mov cl, ch
                                jmp 00007FE7F0D6CF52h
                                call 00007FE7F0D6CF1Eh
                                jmp 00007FE7F0D6D570h
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                push ebp
                                mov ebp, esp

                                Rich Headers

                                Programming Language:
                                • [C++] VS2008 build 21022
                                • [ASM] VS2008 build 21022
                                • [ C ] VS2008 build 21022
                                • [IMP] VS2005 build 50727
                                • [RES] VS2008 build 21022
                                • [LNK] VS2008 build 21022

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x605840x50.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x7c0000x14948.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x910000x9f8.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x48400x18.text
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x47f80x40.text
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x10000x184.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x5fe6a0x60000291cab4978400488bebc300fa8565524False0.8006006876627604data7.3224419372179845IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .data0x610000x1a2000x5c00095dbe5193fc74b6800b1bf6dabe322fFalse0.07990828804347826dBase III DBT, next free block index 75651550.9319388570498974IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x7c0000x149480x14a00790d91c93bb5c0116d27ac0704c580b8False0.4412878787878788data5.462858968650598IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x910000x15020x16002c6bf02e7766e8d52bcdbd4bcfbb4ecbFalse0.39595170454545453data3.874096352062735IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                LIGENAZIMAFIFAPOGEDUCEDOD0x86be80x136fASCII text, with very long lines (4975), with no line terminatorsTamilIndia0.5953768844221106
                                LIGENAZIMAFIFAPOGEDUCEDOD0x86be80x136fASCII text, with very long lines (4975), with no line terminatorsTamilSri Lanka0.5953768844221106
                                POJOKOLOSIVOF0x87f580x1e31ASCII text, with very long lines (7729), with no line terminatorsTamilIndia0.5835166256954328
                                POJOKOLOSIVOF0x87f580x1e31ASCII text, with very long lines (7729), with no line terminatorsTamilSri Lanka0.5835166256954328
                                RAJENEWOWEZASUSARIJEJUWA0x862000x9e7ASCII text, with very long lines (2535), with no line terminatorsTamilIndia0.6055226824457594
                                RAJENEWOWEZASUSARIJEJUWA0x862000x9e7ASCII text, with very long lines (2535), with no line terminatorsTamilSri Lanka0.6055226824457594
                                RT_CURSOR0x89de80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.2953091684434968
                                RT_CURSOR0x8ac900x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.46705776173285196
                                RT_CURSOR0x8b5380x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5361271676300579
                                RT_CURSOR0x8bad00x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.4375
                                RT_CURSOR0x8bc000xb0Device independent bitmap graphic, 16 x 32 x 1, image size 00.44886363636363635
                                RT_CURSOR0x8bcd80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.27238805970149255
                                RT_CURSOR0x8cb800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.375
                                RT_CURSOR0x8d4280x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5057803468208093
                                RT_CURSOR0x8d9c00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.30943496801705755
                                RT_CURSOR0x8e8680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.427797833935018
                                RT_CURSOR0x8f1100x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5469653179190751
                                RT_ICON0x7c8c00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.5472350230414746
                                RT_ICON0x7c8c00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.5472350230414746
                                RT_ICON0x7cf880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilIndia0.5964730290456431
                                RT_ICON0x7cf880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilSri Lanka0.5964730290456431
                                RT_ICON0x7f5300x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilIndia0.650709219858156
                                RT_ICON0x7f5300x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilSri Lanka0.650709219858156
                                RT_ICON0x7f9c80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilIndia0.36220682302771856
                                RT_ICON0x7f9c80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilSri Lanka0.36220682302771856
                                RT_ICON0x808700x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilIndia0.49954873646209386
                                RT_ICON0x808700x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilSri Lanka0.49954873646209386
                                RT_ICON0x811180x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.5777649769585254
                                RT_ICON0x811180x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.5777649769585254
                                RT_ICON0x817e00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilIndia0.6394508670520231
                                RT_ICON0x817e00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilSri Lanka0.6394508670520231
                                RT_ICON0x81d480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilIndia0.44367219917012446
                                RT_ICON0x81d480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilSri Lanka0.44367219917012446
                                RT_ICON0x842f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilIndia0.4526266416510319
                                RT_ICON0x842f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilSri Lanka0.4526266416510319
                                RT_ICON0x853980x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilIndia0.4413934426229508
                                RT_ICON0x853980x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilSri Lanka0.4413934426229508
                                RT_ICON0x85d200x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilIndia0.49556737588652483
                                RT_ICON0x85d200x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilSri Lanka0.49556737588652483
                                RT_DIALOG0x8f9000x58data0.8977272727272727
                                RT_STRING0x8f9580x396dataTamilIndia0.4553376906318083
                                RT_STRING0x8f9580x396dataTamilSri Lanka0.4553376906318083
                                RT_STRING0x8fcf00x360dataTamilIndia0.4664351851851852
                                RT_STRING0x8fcf00x360dataTamilSri Lanka0.4664351851851852
                                RT_STRING0x900500x5fadataTamilIndia0.43790849673202614
                                RT_STRING0x900500x5fadataTamilSri Lanka0.43790849673202614
                                RT_STRING0x906500x2f8dataTamilIndia0.4723684210526316
                                RT_STRING0x906500x2f8dataTamilSri Lanka0.4723684210526316
                                RT_ACCELERATOR0x89d900x58dataTamilIndia0.7954545454545454
                                RT_ACCELERATOR0x89d900x58dataTamilSri Lanka0.7954545454545454
                                RT_GROUP_CURSOR0x8baa00x30data0.9375
                                RT_GROUP_CURSOR0x8bcb00x22data1.0588235294117647
                                RT_GROUP_CURSOR0x8d9900x30data0.9375
                                RT_GROUP_CURSOR0x8f6780x30data0.9375
                                RT_GROUP_ICON0x7f9980x30dataTamilIndia0.9375
                                RT_GROUP_ICON0x7f9980x30dataTamilSri Lanka0.9375
                                RT_GROUP_ICON0x861880x76dataTamilIndia0.6694915254237288
                                RT_GROUP_ICON0x861880x76dataTamilSri Lanka0.6694915254237288
                                RT_VERSION0x8f6a80x258data0.5383333333333333

                                Imports

                                DLLImport
                                KERNEL32.dllInterlockedIncrement, InterlockedDecrement, GetCurrentProcess, CreateJobObjectW, WriteConsoleInputA, GetComputerNameW, GetTimeFormatA, CallNamedPipeW, FreeEnvironmentStringsA, GetTickCount, GetCommConfig, GetNumberFormatA, ClearCommBreak, GetConsoleAliasExesW, EnumTimeFormatsA, TlsSetValue, GetCurrencyFormatW, SetFileShortNameW, LoadLibraryW, ReadConsoleInputA, IsBadCodePtr, SetVolumeMountPointA, CreateProcessW, GetFileAttributesW, GetModuleFileNameW, LCMapStringA, InterlockedExchange, GetLogicalDriveStringsA, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, DefineDosDeviceW, GetDiskFreeSpaceW, LoadLibraryA, OpenJobObjectW, SetEnvironmentVariableA, GlobalWire, GlobalUnWire, GetCurrentDirectoryA, OpenEventW, GetShortPathNameW, SetFileAttributesW, GetVersionExW, GetTempFileNameW, HeapAlloc, UnhandledExceptionFilter, SetUnhandledExceptionFilter, HeapReAlloc, GetStartupInfoW, RaiseException, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, HeapCreate, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, TlsGetValue, TlsAlloc, TlsFree, GetCurrentThreadId, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetModuleHandleA, InitializeCriticalSectionAndSpinCount, TerminateProcess, IsDebuggerPresent, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetLocaleInfoA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW
                                GDI32.dllGetCharWidth32A
                                WINHTTP.dllWinHttpOpen

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                TamilIndia
                                TamilSri Lanka

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-11-06T16:12:50.587302+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949751198.23.227.21232583TCP
                                2024-11-06T16:13:09.816855+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949762198.23.227.21232583TCP
                                2024-11-06T16:13:12.328671+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949773198.23.227.21232583TCP
                                2024-11-06T16:13:14.896333+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949788198.23.227.21232583TCP
                                2024-11-06T16:13:14.959931+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.949782TCP
                                2024-11-06T16:13:17.315764+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949797198.23.227.21232583TCP
                                2024-11-06T16:13:18.933205+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949807198.23.227.21232583TCP
                                2024-11-06T16:13:20.878528+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949816198.23.227.21232583TCP
                                2024-11-06T16:13:22.690599+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949822198.23.227.21232583TCP
                                2024-11-06T16:13:24.212375+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949833198.23.227.21232583TCP
                                2024-11-06T16:13:25.742825+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949844198.23.227.21232583TCP
                                2024-11-06T16:13:27.519667+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949852198.23.227.21232583TCP
                                2024-11-06T16:13:29.092252+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949861198.23.227.21232583TCP
                                2024-11-06T16:13:31.318077+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949871198.23.227.21232583TCP
                                2024-11-06T16:13:32.848204+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949882198.23.227.21232583TCP
                                2024-11-06T16:13:34.530339+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949891198.23.227.21232583TCP
                                2024-11-06T16:13:36.093696+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949900198.23.227.21232583TCP
                                2024-11-06T16:13:37.885598+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949911198.23.227.21232583TCP
                                2024-11-06T16:13:39.420587+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949921198.23.227.21232583TCP
                                2024-11-06T16:13:40.952141+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949927198.23.227.21232583TCP
                                2024-11-06T16:13:42.476589+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949938198.23.227.21232583TCP
                                2024-11-06T16:13:44.016250+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949947198.23.227.21232583TCP
                                2024-11-06T16:13:45.554180+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949955198.23.227.21232583TCP
                                2024-11-06T16:13:47.080203+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949965198.23.227.21232583TCP
                                2024-11-06T16:13:48.997526+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949975198.23.227.21232583TCP
                                2024-11-06T16:13:50.516346+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949984198.23.227.21232583TCP
                                2024-11-06T16:13:52.063169+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949993198.23.227.21232583TCP
                                2024-11-06T16:13:53.531773+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.949998TCP
                                2024-11-06T16:13:53.604000+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950005198.23.227.21232583TCP
                                2024-11-06T16:13:55.157165+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950008198.23.227.21232583TCP
                                2024-11-06T16:13:56.702594+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950009198.23.227.21232583TCP
                                2024-11-06T16:13:58.251867+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950010198.23.227.21232583TCP
                                2024-11-06T16:13:59.866697+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950011198.23.227.21232583TCP
                                2024-11-06T16:14:01.381368+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950012198.23.227.21232583TCP
                                2024-11-06T16:14:02.905941+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950013198.23.227.21232583TCP
                                2024-11-06T16:14:04.392920+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950014198.23.227.21232583TCP
                                2024-11-06T16:14:05.857574+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950015198.23.227.21232583TCP
                                2024-11-06T16:14:07.287871+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950016198.23.227.21232583TCP
                                2024-11-06T16:14:08.682370+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950017198.23.227.21232583TCP
                                2024-11-06T16:14:10.053950+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950018198.23.227.21232583TCP
                                2024-11-06T16:14:11.397316+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950019198.23.227.21232583TCP
                                2024-11-06T16:14:12.730364+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950020198.23.227.21232583TCP
                                2024-11-06T16:14:14.020702+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950021198.23.227.21232583TCP
                                2024-11-06T16:14:15.288186+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950022198.23.227.21232583TCP
                                2024-11-06T16:14:16.516602+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950023198.23.227.21232583TCP
                                2024-11-06T16:14:17.989362+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950024198.23.227.21232583TCP
                                2024-11-06T16:14:19.211024+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950025198.23.227.21232583TCP
                                2024-11-06T16:14:20.408510+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950026198.23.227.21232583TCP
                                2024-11-06T16:14:21.564136+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950027198.23.227.21232583TCP
                                2024-11-06T16:14:22.712105+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950028198.23.227.21232583TCP
                                2024-11-06T16:14:23.990144+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950029198.23.227.21232583TCP
                                2024-11-06T16:14:25.070156+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950030198.23.227.21232583TCP
                                2024-11-06T16:14:26.266292+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950031198.23.227.21232583TCP
                                2024-11-06T16:14:27.328260+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950032198.23.227.21232583TCP
                                2024-11-06T16:14:28.571776+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950033198.23.227.21232583TCP
                                2024-11-06T16:14:29.708123+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950034198.23.227.21232583TCP
                                2024-11-06T16:14:30.725785+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950035198.23.227.21232583TCP
                                2024-11-06T16:14:31.911090+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950036198.23.227.21232583TCP
                                2024-11-06T16:14:32.902479+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950037198.23.227.21232583TCP
                                2024-11-06T16:14:33.944221+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950038198.23.227.21232583TCP
                                2024-11-06T16:14:35.266911+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950039198.23.227.21232583TCP
                                2024-11-06T16:14:36.197653+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950040198.23.227.21232583TCP
                                2024-11-06T16:14:37.483394+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950041198.23.227.21232583TCP
                                2024-11-06T16:14:38.396275+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950042198.23.227.21232583TCP
                                2024-11-06T16:14:39.302597+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950043198.23.227.21232583TCP
                                2024-11-06T16:14:40.492107+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950044198.23.227.21232583TCP
                                2024-11-06T16:14:41.349870+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950045198.23.227.21232583TCP
                                2024-11-06T16:14:42.234145+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950046198.23.227.21232583TCP
                                2024-11-06T16:14:43.582174+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950047198.23.227.21232583TCP
                                2024-11-06T16:14:44.444096+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950048198.23.227.21232583TCP
                                2024-11-06T16:14:45.798602+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950049198.23.227.21232583TCP
                                2024-11-06T16:14:46.708786+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950050198.23.227.21232583TCP
                                2024-11-06T16:14:47.592066+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950051198.23.227.21232583TCP
                                2024-11-06T16:14:48.430357+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950052198.23.227.21232583TCP
                                2024-11-06T16:14:49.804094+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950053198.23.227.21232583TCP
                                2024-11-06T16:14:50.808322+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950054198.23.227.21232583TCP
                                2024-11-06T16:14:52.025340+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950055198.23.227.21232583TCP
                                2024-11-06T16:14:52.884189+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950056198.23.227.21232583TCP
                                2024-11-06T16:14:53.657141+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950057198.23.227.21232583TCP
                                2024-11-06T16:14:55.194016+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950058198.23.227.21232583TCP
                                2024-11-06T16:14:56.072013+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950059198.23.227.21232583TCP
                                2024-11-06T16:14:57.350658+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950060198.23.227.21232583TCP
                                2024-11-06T16:14:58.200549+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950061198.23.227.21232583TCP
                                2024-11-06T16:14:59.207971+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950062198.23.227.21232583TCP
                                2024-11-06T16:15:00.367017+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950063198.23.227.21232583TCP
                                2024-11-06T16:15:01.251432+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950064198.23.227.21232583TCP
                                2024-11-06T16:15:02.632756+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950065198.23.227.21232583TCP
                                2024-11-06T16:15:03.484073+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950066198.23.227.21232583TCP
                                2024-11-06T16:15:04.356513+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950067198.23.227.21232583TCP
                                2024-11-06T16:15:05.244012+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.950068198.23.227.21232583TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 6, 2024 16:13:06.842705965 CET4975132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:06.847616911 CET3258349751198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:06.847686052 CET4975132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:07.348659992 CET3258349751198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:07.352312088 CET4975132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:08.272324085 CET4975132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:08.272387028 CET4975132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:08.277362108 CET3258349751198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:08.277369976 CET3258349751198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:09.275280952 CET4976232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:09.280158997 CET3258349762198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:09.280251980 CET4976232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:09.283709049 CET4976232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:09.288724899 CET3258349762198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:09.816755056 CET3258349762198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:09.816854954 CET4976232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:10.802345037 CET4976232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:10.979865074 CET3258349762198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:11.822551966 CET4977332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:11.827510118 CET3258349773198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:11.827704906 CET4977332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:11.831265926 CET4977332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:11.836108923 CET3258349773198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:12.328577995 CET3258349773198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:12.328670979 CET4977332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:12.919420004 CET4977332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:12.924573898 CET3258349773198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:14.377028942 CET4978832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:14.381839037 CET3258349788198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:14.381906033 CET4978832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:14.387855053 CET4978832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:14.392654896 CET3258349788198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:14.896203041 CET3258349788198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:14.896332979 CET4978832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:15.323683023 CET4978832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:15.399605989 CET3258349788198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:16.809329033 CET4979732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:16.814234018 CET3258349797198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:16.814325094 CET4979732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:16.818337917 CET4979732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:16.823374987 CET3258349797198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:17.315691948 CET3258349797198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:17.315763950 CET4979732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:17.381145954 CET4979732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:17.386219025 CET3258349797198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:18.400190115 CET4980732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:18.405114889 CET3258349807198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:18.405200958 CET4980732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:18.408853054 CET4980732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:18.413721085 CET3258349807198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:18.933134079 CET3258349807198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:18.933204889 CET4980732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:19.334317923 CET4980732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:19.625597000 CET3258349807198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:20.358015060 CET4981632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:20.363756895 CET3258349816198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:20.363847017 CET4981632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:20.368269920 CET4981632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:20.373723984 CET3258349816198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:20.878431082 CET3258349816198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:20.878528118 CET4981632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:20.878668070 CET4981632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:20.883645058 CET3258349816198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:21.893315077 CET4982232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:21.898178101 CET3258349822198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:21.898401022 CET4982232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:21.942775965 CET4982232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:21.947633028 CET3258349822198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:22.690489054 CET3258349822198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:22.690598965 CET4982232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:22.690773010 CET4982232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:22.692445040 CET3258349822198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:22.692502975 CET4982232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:22.695590973 CET3258349822198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:23.697312117 CET4983332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:23.702291012 CET3258349833198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:23.702364922 CET4983332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:23.705756903 CET4983332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:23.710608959 CET3258349833198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:24.212316036 CET3258349833198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:24.212374926 CET4983332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:24.212582111 CET4983332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:24.217708111 CET3258349833198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:25.228418112 CET4984432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:25.233264923 CET3258349844198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:25.233365059 CET4984432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:25.236871958 CET4984432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:25.241660118 CET3258349844198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:25.739573956 CET3258349844198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:25.742825031 CET4984432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:25.742971897 CET4984432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:25.747720003 CET3258349844198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:26.744046926 CET4985232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:27.005512953 CET3258349852198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:27.005614042 CET4985232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:27.065048933 CET4985232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:27.070036888 CET3258349852198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:27.519556046 CET3258349852198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:27.519666910 CET4985232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:27.564455986 CET4985232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:27.569595098 CET3258349852198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:28.572288990 CET4986132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:28.577297926 CET3258349861198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:28.577406883 CET4986132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:28.580924034 CET4986132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:28.585813046 CET3258349861198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:29.090984106 CET3258349861198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:29.092252016 CET4986132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:29.092394114 CET4986132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:29.097286940 CET3258349861198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:30.113888025 CET4987132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:30.785998106 CET3258349871198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:30.786145926 CET4987132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:30.789860010 CET4987132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:30.794624090 CET3258349871198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:31.318010092 CET3258349871198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:31.318077087 CET4987132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:31.318176031 CET4987132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:31.322957039 CET3258349871198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:32.322417974 CET4988232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:32.327568054 CET3258349882198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:32.327634096 CET4988232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:32.331773043 CET4988232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:32.336643934 CET3258349882198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:32.846164942 CET3258349882198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:32.848203897 CET4988232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:32.961635113 CET4988232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:32.966887951 CET3258349882198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:33.994108915 CET4989132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:33.999444962 CET3258349891198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:33.999535084 CET4989132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:34.003098011 CET4989132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:34.008900881 CET3258349891198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:34.530265093 CET3258349891198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:34.530339003 CET4989132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:34.530500889 CET4989132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:34.535435915 CET3258349891198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:35.580132008 CET4990032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:35.585606098 CET3258349900198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:35.585681915 CET4990032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:35.626456976 CET4990032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:35.631427050 CET3258349900198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:36.093627930 CET3258349900198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:36.093696117 CET4990032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:36.348067999 CET4990032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:36.353367090 CET3258349900198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:37.369623899 CET4991132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:37.374744892 CET3258349911198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:37.374820948 CET4991132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:37.378593922 CET4991132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:37.383505106 CET3258349911198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:37.885528088 CET3258349911198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:37.885597944 CET4991132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:37.885751963 CET4991132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:37.890850067 CET3258349911198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:38.901622057 CET4992132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:38.906680107 CET3258349921198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:38.906780005 CET4992132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:38.911705017 CET4992132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:38.916551113 CET3258349921198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:39.420517921 CET3258349921198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:39.420587063 CET4992132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:39.420737982 CET4992132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:39.425581932 CET3258349921198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:40.431662083 CET4992732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:40.436753988 CET3258349927198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:40.436872005 CET4992732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:40.440824986 CET4992732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:40.445646048 CET3258349927198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:40.951976061 CET3258349927198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:40.952141047 CET4992732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:40.952208042 CET4992732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:40.958653927 CET3258349927198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:41.962908030 CET4993832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:41.968444109 CET3258349938198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:41.968534946 CET4993832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:41.972282887 CET4993832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:41.977811098 CET3258349938198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:42.476502895 CET3258349938198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:42.476588964 CET4993832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:42.476748943 CET4993832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:42.481534958 CET3258349938198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:43.500350952 CET4994732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:43.505471945 CET3258349947198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:43.505585909 CET4994732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:43.510385036 CET4994732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:43.515336990 CET3258349947198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:44.014801979 CET3258349947198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:44.016249895 CET4994732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:44.030354023 CET4994732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:44.035265923 CET3258349947198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:45.040998936 CET4995532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:45.046247959 CET3258349955198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:45.046345949 CET4995532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:45.051204920 CET4995532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:45.056061029 CET3258349955198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:45.554112911 CET3258349955198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:45.554179907 CET4995532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:45.554326057 CET4995532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:45.559710979 CET3258349955198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:46.557085991 CET4996532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:46.565978050 CET3258349965198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:46.566066027 CET4996532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:46.569819927 CET4996532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:46.577023029 CET3258349965198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:47.077202082 CET3258349965198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:47.080203056 CET4996532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:47.456578970 CET4996532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:47.461568117 CET3258349965198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:48.478734970 CET4997532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:48.483881950 CET3258349975198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:48.483952045 CET4997532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:48.488877058 CET4997532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:48.494472980 CET3258349975198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:48.997422934 CET3258349975198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:48.997525930 CET4997532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:48.997733116 CET4997532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:49.002851009 CET3258349975198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:50.009922028 CET4998432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:50.014827013 CET3258349984198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:50.014897108 CET4998432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:50.018580914 CET4998432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:50.023493052 CET3258349984198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:50.516242981 CET3258349984198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:50.516345978 CET4998432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:50.516485929 CET4998432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:50.521332026 CET3258349984198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:51.526014090 CET4999332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:51.530955076 CET3258349993198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:51.531024933 CET4999332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:51.535221100 CET4999332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:51.539969921 CET3258349993198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:52.063095093 CET3258349993198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:52.063169003 CET4999332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:52.063380003 CET4999332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:52.070343018 CET3258349993198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:53.072139025 CET5000532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:53.076921940 CET3258350005198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:53.078238964 CET5000532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:53.081764936 CET5000532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:53.086595058 CET3258350005198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:53.603910923 CET3258350005198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:53.604000092 CET5000532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:53.604162931 CET5000532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:53.609056950 CET3258350005198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:54.619082928 CET5000832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:54.623958111 CET3258350008198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:54.624054909 CET5000832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:54.627562046 CET5000832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:54.632355928 CET3258350008198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:55.157088041 CET3258350008198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:55.157165051 CET5000832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:55.157383919 CET5000832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:55.162264109 CET3258350008198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:56.165788889 CET5000932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:56.170782089 CET3258350009198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:56.170893908 CET5000932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:56.174427986 CET5000932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:56.179337978 CET3258350009198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:56.702488899 CET3258350009198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:56.702594042 CET5000932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:56.702785015 CET5000932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:56.707748890 CET3258350009198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:57.712790012 CET5001032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:57.717607975 CET3258350010198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:57.717670918 CET5001032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:57.721208096 CET5001032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:57.726030111 CET3258350010198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:58.251746893 CET3258350010198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:58.251867056 CET5001032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:58.252012968 CET5001032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:58.256939888 CET3258350010198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:59.259762049 CET5001132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:59.364329100 CET3258350011198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:59.364458084 CET5001132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:59.582709074 CET5001132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:59.587543964 CET3258350011198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:59.866585016 CET3258350011198.23.227.212192.168.2.9
                                Nov 6, 2024 16:13:59.866697073 CET5001132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:59.866734982 CET5001132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:13:59.871944904 CET3258350011198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:00.869302988 CET5001232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:00.874655008 CET3258350012198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:00.874757051 CET5001232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:00.878669024 CET5001232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:00.885279894 CET3258350012198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:01.381282091 CET3258350012198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:01.381367922 CET5001232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:01.381501913 CET5001232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:01.386492968 CET3258350012198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:02.392699003 CET5001332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:02.397615910 CET3258350013198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:02.397690058 CET5001332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:02.402131081 CET5001332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:02.407022953 CET3258350013198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:02.905695915 CET3258350013198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:02.905941010 CET5001332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:02.906080961 CET5001332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:02.910896063 CET3258350013198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:03.885484934 CET5001432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:03.890918970 CET3258350014198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:03.891007900 CET5001432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:03.900660992 CET5001432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:03.905579090 CET3258350014198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:04.392729044 CET3258350014198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:04.392920017 CET5001432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:04.392970085 CET5001432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:04.398380041 CET3258350014198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:05.337729931 CET5001532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:05.342659950 CET3258350015198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:05.342753887 CET5001532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:05.346232891 CET5001532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:05.351161003 CET3258350015198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:05.857513905 CET3258350015198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:05.857573986 CET5001532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:05.857691050 CET5001532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:05.862832069 CET3258350015198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:06.775526047 CET5001632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:06.780539036 CET3258350016198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:06.780606031 CET5001632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:06.784295082 CET5001632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:06.789216042 CET3258350016198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:07.287807941 CET3258350016198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:07.287870884 CET5001632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:07.287980080 CET5001632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:07.292707920 CET3258350016198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:08.165975094 CET5001732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:08.173242092 CET3258350017198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:08.173342943 CET5001732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:08.176834106 CET5001732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:08.182132006 CET3258350017198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:08.682305098 CET3258350017198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:08.682369947 CET5001732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:08.682481050 CET5001732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:08.687380075 CET3258350017198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:09.540930986 CET5001832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:09.546350002 CET3258350018198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:09.546447992 CET5001832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:09.549947977 CET5001832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:09.554800034 CET3258350018198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:10.053823948 CET3258350018198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:10.053950071 CET5001832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:10.054097891 CET5001832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:10.058981895 CET3258350018198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:10.884567022 CET5001932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:10.889370918 CET3258350019198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:10.889468908 CET5001932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:10.894054890 CET5001932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:10.898978949 CET3258350019198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:11.397119999 CET3258350019198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:11.397315979 CET5001932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:11.397563934 CET5001932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:11.402456045 CET3258350019198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:12.197216988 CET5002032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:12.202219009 CET3258350020198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:12.202336073 CET5002032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:12.205888987 CET5002032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:12.210761070 CET3258350020198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:12.730273008 CET3258350020198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:12.730364084 CET5002032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:12.730551004 CET5002032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:12.735348940 CET3258350020198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:13.494195938 CET5002132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:13.501632929 CET3258350021198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:13.501717091 CET5002132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:13.505215883 CET5002132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:13.512970924 CET3258350021198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:14.020642042 CET3258350021198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:14.020701885 CET5002132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:14.020822048 CET5002132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:14.026537895 CET3258350021198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:14.773165941 CET5002232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:14.778079033 CET3258350022198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:14.778171062 CET5002232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:14.786477089 CET5002232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:14.791467905 CET3258350022198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:15.288093090 CET3258350022198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:15.288186073 CET5002232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:15.288363934 CET5002232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:15.293164968 CET3258350022198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:16.009769917 CET5002332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:16.014791965 CET3258350023198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:16.014898062 CET5002332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:16.020617962 CET5002332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:16.025819063 CET3258350023198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:16.516514063 CET3258350023198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:16.516602039 CET5002332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:16.516732931 CET5002332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:16.521612883 CET3258350023198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:17.452389002 CET5002432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:17.457242966 CET3258350024198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:17.457334995 CET5002432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:17.461375952 CET5002432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:17.466391087 CET3258350024198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:17.989291906 CET3258350024198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:17.989362001 CET5002432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:18.010885000 CET5002432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:18.016096115 CET3258350024198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:18.697205067 CET5002532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:18.702402115 CET3258350025198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:18.702466965 CET5002532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:18.706870079 CET5002532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:18.711781979 CET3258350025198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:19.210957050 CET3258350025198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:19.211024046 CET5002532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:19.211216927 CET5002532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:19.215995073 CET3258350025198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:19.869138956 CET5002632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:19.874867916 CET3258350026198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:19.875046968 CET5002632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:19.878624916 CET5002632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:19.883814096 CET3258350026198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:20.408444881 CET3258350026198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:20.408509970 CET5002632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:20.408792019 CET5002632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:20.413649082 CET3258350026198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:21.040870905 CET5002732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:21.045701027 CET3258350027198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:21.045928955 CET5002732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:21.049534082 CET5002732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:21.055088043 CET3258350027198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:21.560626030 CET3258350027198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:21.564136028 CET5002732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:21.564308882 CET5002732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:21.570622921 CET3258350027198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:22.188999891 CET5002832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:22.193820953 CET3258350028198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:22.196119070 CET5002832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:22.253668070 CET5002832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:22.258685112 CET3258350028198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:22.710005045 CET3258350028198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:22.712105036 CET5002832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:22.880151033 CET5002832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:22.886734962 CET3258350028198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:23.478353977 CET5002932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:23.483289957 CET3258350029198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:23.484112024 CET5002932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:23.487534046 CET5002932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:23.493021011 CET3258350029198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:23.990087986 CET3258350029198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:23.990144014 CET5002932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:23.990345955 CET5002932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:23.995338917 CET3258350029198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:24.556468964 CET5003032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:24.561311960 CET3258350030198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:24.561408997 CET5003032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:24.564765930 CET5003032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:24.569947958 CET3258350030198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:25.067728996 CET3258350030198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:25.070156097 CET5003032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:25.173042059 CET5003032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:25.177947044 CET3258350030198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:25.749561071 CET5003132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:25.754638910 CET3258350031198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:25.754703999 CET5003132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:25.758569002 CET5003132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:25.765008926 CET3258350031198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:26.266220093 CET3258350031198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:26.266292095 CET5003132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:26.266472101 CET5003132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:26.271357059 CET3258350031198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:26.806596041 CET5003232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:26.811507940 CET3258350032198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:26.812170982 CET5003232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:26.815896034 CET5003232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:26.821099997 CET3258350032198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:27.327550888 CET3258350032198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:27.328259945 CET5003232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:27.328533888 CET5003232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:27.333511114 CET3258350032198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:28.060380936 CET5003332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:28.065299988 CET3258350033198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:28.065419912 CET5003332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:28.139213085 CET5003332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:28.144184113 CET3258350033198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:28.571691990 CET3258350033198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:28.571775913 CET5003332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:28.571949005 CET5003332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:28.577383995 CET3258350033198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:29.072098017 CET5003432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:29.202578068 CET3258350034198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:29.202745914 CET5003432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:29.394196987 CET5003432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:29.399080992 CET3258350034198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:29.705889940 CET3258350034198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:29.708122969 CET5003432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:29.708681107 CET5003432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:29.714128971 CET3258350034198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:30.197155952 CET5003532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:30.204592943 CET3258350035198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:30.208096981 CET5003532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:30.211338997 CET5003532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:30.217628002 CET3258350035198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:30.725678921 CET3258350035198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:30.725785017 CET5003532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:30.827292919 CET5003532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:30.836406946 CET3258350035198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:31.387147903 CET5003632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:31.393064022 CET3258350036198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:31.393151999 CET5003632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:31.396503925 CET5003632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:31.401690960 CET3258350036198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:31.911027908 CET3258350036198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:31.911089897 CET5003632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:31.911216021 CET5003632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:31.916057110 CET3258350036198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:32.369349957 CET5003732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:32.374381065 CET3258350037198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:32.374460936 CET5003732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:32.377886057 CET5003732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:32.383223057 CET3258350037198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:32.902417898 CET3258350037198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:32.902478933 CET5003732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:32.902682066 CET5003732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:32.907812119 CET3258350037198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:33.384232998 CET5003832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:33.389111996 CET3258350038198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:33.389305115 CET5003832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:33.394834995 CET5003832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:33.399729967 CET3258350038198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:33.944148064 CET3258350038198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:33.944221020 CET5003832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:33.944410086 CET5003832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:33.949242115 CET3258350038198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:34.744769096 CET5003932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:34.749706030 CET3258350039198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:34.749774933 CET5003932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:34.753395081 CET5003932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:34.758435011 CET3258350039198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:35.266825914 CET3258350039198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:35.266911030 CET5003932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:35.268579006 CET5003932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:35.273494005 CET3258350039198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:35.681503057 CET5004032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:35.687197924 CET3258350040198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:35.687283993 CET5004032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:35.690645933 CET5004032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:35.695616961 CET3258350040198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:36.197567940 CET3258350040198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:36.197653055 CET5004032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:36.197778940 CET5004032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:36.202708006 CET3258350040198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:36.967593908 CET5004132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:36.972577095 CET3258350041198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:36.972640991 CET5004132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:36.976147890 CET5004132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:36.981880903 CET3258350041198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:37.483206987 CET3258350041198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:37.483393908 CET5004132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:37.483653069 CET5004132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:37.489222050 CET3258350041198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:37.869213104 CET5004232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:37.874154091 CET3258350042198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:37.874228954 CET5004232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:37.878163099 CET5004232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:37.883059978 CET3258350042198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:38.396018028 CET3258350042198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:38.396275043 CET5004232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:38.396341085 CET5004232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:38.401227951 CET3258350042198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:38.759593010 CET5004332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:38.764672995 CET3258350043198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:38.764832973 CET5004332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:38.768347025 CET5004332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:38.773392916 CET3258350043198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:39.300441980 CET3258350043198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:39.302597046 CET5004332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:39.614468098 CET5004332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:39.619620085 CET3258350043198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:39.984433889 CET5004432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:39.989387989 CET3258350044198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:39.989500999 CET5004432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:39.993067980 CET5004432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:39.998574018 CET3258350044198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:40.490880966 CET3258350044198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:40.492106915 CET5004432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:40.492317915 CET5004432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:40.497155905 CET3258350044198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:40.837563992 CET5004532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:40.842461109 CET3258350045198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:40.842529058 CET5004532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:40.845901012 CET5004532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:40.850953102 CET3258350045198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:41.349627972 CET3258350045198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:41.349869967 CET5004532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:41.351361036 CET5004532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:41.356318951 CET3258350045198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:41.719782114 CET5004632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:41.724685907 CET3258350046198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:41.726077080 CET5004632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:41.729567051 CET5004632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:41.734447956 CET3258350046198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:42.232367039 CET3258350046198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:42.234144926 CET5004632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:42.662204981 CET5004632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:42.667349100 CET3258350046198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:43.049091101 CET5004732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:43.054054022 CET3258350047198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:43.054143906 CET5004732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:43.058427095 CET5004732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:43.063250065 CET3258350047198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:43.582122087 CET3258350047198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:43.582174063 CET5004732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:43.582429886 CET5004732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:43.587152004 CET3258350047198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:43.937068939 CET5004832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:43.942131042 CET3258350048198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:43.942260027 CET5004832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:43.945825100 CET5004832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:43.950694084 CET3258350048198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:44.443388939 CET3258350048198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:44.444096088 CET5004832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:44.444297075 CET5004832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:44.449074984 CET3258350048198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:45.261863947 CET5004932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:45.266738892 CET3258350049198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:45.266813993 CET5004932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:45.270920038 CET5004932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:45.275692940 CET3258350049198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:45.798532009 CET3258350049198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:45.798602104 CET5004932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:45.798746109 CET5004932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:45.803738117 CET3258350049198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:46.188808918 CET5005032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:46.193748951 CET3258350050198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:46.193825006 CET5005032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:46.198510885 CET5005032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:46.203407049 CET3258350050198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:46.708635092 CET3258350050198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:46.708786011 CET5005032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:46.708987951 CET5005032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:46.713772058 CET3258350050198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:47.060307980 CET5005132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:47.065211058 CET3258350051198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:47.065320015 CET5005132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:47.068886042 CET5005132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:47.073715925 CET3258350051198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:47.591445923 CET3258350051198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:47.592066050 CET5005132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:47.595498085 CET5005132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:47.600466013 CET3258350051198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:47.910012007 CET5005232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:47.915564060 CET3258350052198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:47.915662050 CET5005232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:47.919095993 CET5005232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:47.924348116 CET3258350052198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:48.430268049 CET3258350052198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:48.430356979 CET5005232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:48.523336887 CET5005232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:48.528291941 CET3258350052198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:49.260345936 CET5005332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:49.265647888 CET3258350053198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:49.265727997 CET5005332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:49.269210100 CET5005332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:49.274137974 CET3258350053198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:49.800158024 CET3258350053198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:49.804094076 CET5005332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:49.804306984 CET5005332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:49.811084032 CET3258350053198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:50.234309912 CET5005432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:50.239156008 CET3258350054198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:50.239253044 CET5005432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:50.243999004 CET5005432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:50.249017954 CET3258350054198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:50.808252096 CET3258350054198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:50.808321953 CET5005432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:50.809649944 CET5005432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:50.815491915 CET3258350054198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:51.509625912 CET5005532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:51.514549017 CET3258350055198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:51.514621019 CET5005532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:51.518512011 CET5005532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:51.523386955 CET3258350055198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:52.025242090 CET3258350055198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:52.025340080 CET5005532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:52.025517941 CET5005532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:52.030344009 CET3258350055198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:52.371474981 CET5005632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:52.376416922 CET3258350056198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:52.376486063 CET5005632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:52.379935026 CET5005632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:52.384958029 CET3258350056198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:52.884047985 CET3258350056198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:52.884188890 CET5005632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:52.884773970 CET5005632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:52.889621019 CET3258350056198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:53.150969982 CET5005732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:53.156055927 CET3258350057198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:53.156131983 CET5005732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:53.159710884 CET5005732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:53.164539099 CET3258350057198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:53.657025099 CET3258350057198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:53.657140970 CET5005732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:53.916867018 CET5005732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:53.921678066 CET3258350057198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:54.680434942 CET5005832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:54.685489893 CET3258350058198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:54.685612917 CET5005832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:54.689124107 CET5005832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:54.694222927 CET3258350058198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:55.193948030 CET3258350058198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:55.194015980 CET5005832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:55.194250107 CET5005832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:55.201195955 CET3258350058198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:55.557451963 CET5005932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:55.562529087 CET3258350059198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:55.564054012 CET5005932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:55.567547083 CET5005932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:55.572405100 CET3258350059198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:56.071855068 CET3258350059198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:56.072012901 CET5005932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:56.469587088 CET5005932583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:56.474515915 CET3258350059198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:56.837438107 CET5006032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:56.842346907 CET3258350060198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:56.842427015 CET5006032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:56.845870018 CET5006032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:56.850657940 CET3258350060198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:57.350526094 CET3258350060198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:57.350657940 CET5006032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:57.350934029 CET5006032583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:57.355729103 CET3258350060198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:57.686969042 CET5006132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:57.692082882 CET3258350061198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:57.692189932 CET5006132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:57.695796013 CET5006132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:57.700805902 CET3258350061198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:58.200301886 CET3258350061198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:58.200548887 CET5006132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:58.200733900 CET5006132583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:58.205583096 CET3258350061198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:58.620302916 CET5006232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:58.625399113 CET3258350062198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:58.625696898 CET5006232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:58.633105040 CET5006232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:58.638236046 CET3258350062198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:59.207906008 CET3258350062198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:59.207971096 CET5006232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:59.208420038 CET5006232583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:59.216890097 CET3258350062198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:59.845670938 CET5006332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:59.851084948 CET3258350063198.23.227.212192.168.2.9
                                Nov 6, 2024 16:14:59.851172924 CET5006332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:59.854706049 CET5006332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:14:59.859699965 CET3258350063198.23.227.212192.168.2.9
                                Nov 6, 2024 16:15:00.366837025 CET3258350063198.23.227.212192.168.2.9
                                Nov 6, 2024 16:15:00.367017031 CET5006332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:00.367120028 CET5006332583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:00.371993065 CET3258350063198.23.227.212192.168.2.9
                                Nov 6, 2024 16:15:00.739875078 CET5006432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:00.744899035 CET3258350064198.23.227.212192.168.2.9
                                Nov 6, 2024 16:15:00.744965076 CET5006432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:00.764987946 CET5006432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:00.770224094 CET3258350064198.23.227.212192.168.2.9
                                Nov 6, 2024 16:15:01.251362085 CET3258350064198.23.227.212192.168.2.9
                                Nov 6, 2024 16:15:01.251431942 CET5006432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:01.251569986 CET5006432583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:01.256398916 CET3258350064198.23.227.212192.168.2.9
                                Nov 6, 2024 16:15:02.120491982 CET5006532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:02.125488043 CET3258350065198.23.227.212192.168.2.9
                                Nov 6, 2024 16:15:02.125557899 CET5006532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:02.129394054 CET5006532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:02.134363890 CET3258350065198.23.227.212192.168.2.9
                                Nov 6, 2024 16:15:02.632705927 CET3258350065198.23.227.212192.168.2.9
                                Nov 6, 2024 16:15:02.632755995 CET5006532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:02.632900953 CET5006532583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:02.639044046 CET3258350065198.23.227.212192.168.2.9
                                Nov 6, 2024 16:15:02.969309092 CET5006632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:02.974407911 CET3258350066198.23.227.212192.168.2.9
                                Nov 6, 2024 16:15:02.974504948 CET5006632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:02.978024006 CET5006632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:02.983063936 CET3258350066198.23.227.212192.168.2.9
                                Nov 6, 2024 16:15:03.483925104 CET3258350066198.23.227.212192.168.2.9
                                Nov 6, 2024 16:15:03.484072924 CET5006632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:03.484294891 CET5006632583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:03.489634991 CET3258350066198.23.227.212192.168.2.9
                                Nov 6, 2024 16:15:03.840723038 CET5006732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:03.845618963 CET3258350067198.23.227.212192.168.2.9
                                Nov 6, 2024 16:15:03.847345114 CET5006732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:03.850924969 CET5006732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:03.855844021 CET3258350067198.23.227.212192.168.2.9
                                Nov 6, 2024 16:15:04.356448889 CET3258350067198.23.227.212192.168.2.9
                                Nov 6, 2024 16:15:04.356513023 CET5006732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:04.356724024 CET5006732583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:04.361572027 CET3258350067198.23.227.212192.168.2.9
                                Nov 6, 2024 16:15:04.722619057 CET5006832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:04.727509022 CET3258350068198.23.227.212192.168.2.9
                                Nov 6, 2024 16:15:04.727583885 CET5006832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:04.731071949 CET5006832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:04.735847950 CET3258350068198.23.227.212192.168.2.9
                                Nov 6, 2024 16:15:05.243626118 CET3258350068198.23.227.212192.168.2.9
                                Nov 6, 2024 16:15:05.244012117 CET5006832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:05.365453959 CET5006832583192.168.2.9198.23.227.212
                                Nov 6, 2024 16:15:05.370750904 CET3258350068198.23.227.212192.168.2.9

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Nov 6, 2024 16:12:54.064246893 CET1.1.1.1192.168.2.90x4c2No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                Nov 6, 2024 16:12:54.064246893 CET1.1.1.1192.168.2.90x4c2No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:10:12:56
                                Start date:06/11/2024
                                Path:C:\Users\user\Desktop\YESOHDKMIm.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\YESOHDKMIm.exe"
                                Imagebase:0x400000
                                File size:507'904 bytes
                                MD5 hash:F9294A439C591BBA283F7C6D9ED5AA37
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1496727546.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1496387665.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.1352037586.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.1352037586.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000003.1352037586.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000003.1352037586.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000003.1352037586.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000003.1352037586.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:4
                                Start time:10:12:58
                                Start date:06/11/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 992
                                Imagebase:0xf30000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:6
                                Start time:10:12:59
                                Start date:06/11/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1132
                                Imagebase:0xf30000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:8
                                Start time:10:12:59
                                Start date:06/11/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1128
                                Imagebase:0xf30000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:10
                                Start time:10:13:00
                                Start date:06/11/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1156
                                Imagebase:0xf30000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:12
                                Start time:10:13:01
                                Start date:06/11/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1156
                                Imagebase:0xf30000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:14
                                Start time:10:13:02
                                Start date:06/11/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1136
                                Imagebase:0xf30000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:15
                                Start time:10:13:03
                                Start date:06/11/2024
                                Path:C:\Users\user\AppData\Roaming\yavascript.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Roaming\yavascript.exe"
                                Imagebase:0x400000
                                File size:507'904 bytes
                                MD5 hash:F9294A439C591BBA283F7C6D9ED5AA37
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.2618326835.0000000000814000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000F.00000002.2617952063.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000002.2617261877.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.2617261877.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.2617261877.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.2617261877.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown
                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000002.2617261877.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown
                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000F.00000002.2617261877.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000003.1433585955.0000000002280000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000003.1433585955.0000000002280000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000003.1433585955.0000000002280000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000003.1433585955.0000000002280000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000003.1433585955.0000000002280000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000F.00000003.1433585955.0000000002280000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000002.2618536470.0000000002090000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.2618536470.0000000002090000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.2618536470.0000000002090000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.2618536470.0000000002090000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000F.00000002.2618536470.0000000002090000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                Antivirus matches:
                                • Detection: 61%, ReversingLabs
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:17
                                Start time:10:13:04
                                Start date:06/11/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 968
                                Imagebase:0xf30000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:20
                                Start time:10:13:05
                                Start date:06/11/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 680
                                Imagebase:0xf30000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:22
                                Start time:10:13:06
                                Start date:06/11/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 708
                                Imagebase:0xf30000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:24
                                Start time:10:13:07
                                Start date:06/11/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 688
                                Imagebase:0xf30000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:25
                                Start time:10:13:07
                                Start date:06/11/2024
                                Path:C:\Users\user\AppData\Roaming\yavascript.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Roaming\yavascript.exe"
                                Imagebase:0x400000
                                File size:507'904 bytes
                                MD5 hash:F9294A439C591BBA283F7C6D9ED5AA37
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000019.00000002.1539850016.0000000000750000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.1539911339.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000019.00000003.1473498633.0000000002210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000003.1473498633.0000000002210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000019.00000003.1473498633.0000000002210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000019.00000003.1473498633.0000000002210000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000019.00000003.1473498633.0000000002210000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000019.00000003.1473498633.0000000002210000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000019.00000002.1539311942.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.1539311942.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000019.00000002.1539311942.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000019.00000002.1539311942.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown
                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000019.00000002.1539311942.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown
                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000019.00000002.1539311942.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000019.00000002.1540122253.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.1540122253.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000019.00000002.1540122253.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000019.00000002.1540122253.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000019.00000002.1540122253.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                Has exited:true

                                General

                                Target ID:27
                                Start time:10:13:08
                                Start date:06/11/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 680
                                Imagebase:0xf30000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:30
                                Start time:10:13:09
                                Start date:06/11/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 584
                                Imagebase:0xf30000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:31
                                Start time:10:13:10
                                Start date:06/11/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 732
                                Imagebase:0xf30000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:34
                                Start time:10:13:11
                                Start date:06/11/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 728
                                Imagebase:0xf30000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:36
                                Start time:10:13:12
                                Start date:06/11/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 736
                                Imagebase:0xf30000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:38
                                Start time:10:13:13
                                Start date:06/11/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 732
                                Imagebase:0xf30000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:1.5%
                                  Dynamic/Decrypted Code Coverage:24.6%
                                  Signature Coverage:45.9%
                                  Total number of Nodes:1254
                                  Total number of Limit Nodes:24
                                  execution_graph 87668 2110000 87671 2110006 87668->87671 87672 2110015 87671->87672 87675 21107a6 87672->87675 87676 21107c1 87675->87676 87677 21107ca CreateToolhelp32Snapshot 87676->87677 87678 21107e6 Module32First 87676->87678 87677->87676 87677->87678 87679 21107f5 87678->87679 87680 2110005 87678->87680 87682 2110465 87679->87682 87683 2110490 87682->87683 87684 21104a1 VirtualAlloc 87683->87684 87685 21104d9 87683->87685 87684->87685 87685->87685 87686 407cd2 88075 4020f6 87686->88075 87689 407d03 88081 4041a2 87689->88081 87692 4020f6 28 API calls 87693 407d2d 87692->87693 87694 4020f6 28 API calls 87693->87694 87695 407d3f 87694->87695 88084 41beac 87695->88084 87698 408495 87700 4084a1 87698->87700 87701 40879d 87698->87701 87699 407d58 87702 408392 87699->87702 87703 407d5e 87699->87703 87705 408762 87700->87705 87706 4084aa 87700->87706 87704 401e65 22 API calls 87701->87704 87707 401e65 22 API calls 87702->87707 87708 407d67 87703->87708 87709 40834c 87703->87709 87710 4087a9 87704->87710 87713 401e65 22 API calls 87705->87713 87711 4084b3 87706->87711 87712 4086bd 87706->87712 87714 40839e 87707->87714 87715 407d70 87708->87715 87716 4082a9 GetLogicalDriveStringsA 87708->87716 87717 401e65 22 API calls 87709->87717 87735 40417e 28 API calls 87710->87735 87719 408199 87711->87719 87726 408565 87711->87726 87727 4084c5 87711->87727 87724 401e65 22 API calls 87712->87724 87720 40876d 87713->87720 87739 40417e 28 API calls 87714->87739 87721 407d79 87715->87721 87722 40821a 87715->87722 88264 4020b7 87716->88264 87723 408357 87717->87723 88305 401e8d 87719->88305 87738 408774 StrToIntA 87720->87738 87728 4081a1 87721->87728 87729 407d82 87721->87729 87730 401e65 22 API calls 87722->87730 87750 40417e 28 API calls 87723->87750 87731 4086d0 87724->87731 87725 4082cc 88270 401f9d 28 API calls 87725->88270 87733 401e65 22 API calls 87726->87733 87736 4084ca 87727->87736 87737 40851e 87727->87737 87734 401e65 22 API calls 87728->87734 87740 408137 87729->87740 87741 407d8b 87729->87741 87781 408226 87730->87781 87732 4020f6 28 API calls 87731->87732 87743 4086db 87732->87743 87745 408570 87733->87745 87746 4081ad 87734->87746 87744 4087ba 87735->87744 87736->87719 87747 4084d3 87736->87747 87752 401e65 22 API calls 87737->87752 87753 401e65 22 API calls 87738->87753 87754 4083af 87739->87754 87751 401e65 22 API calls 87740->87751 87748 407ee0 87741->87748 87749 407d94 87741->87749 87757 40417e 28 API calls 87743->87757 87760 401e65 22 API calls 87744->87760 87758 4020f6 28 API calls 87745->87758 87785 40417e 28 API calls 87746->87785 87761 401e65 22 API calls 87747->87761 88106 4020df 87748->88106 87749->87719 87762 407d9d 87749->87762 87763 408369 87750->87763 87764 40814a 87751->87764 87766 408529 87752->87766 87767 408788 87753->87767 87768 401e65 22 API calls 87754->87768 87756 401fd8 11 API calls 87769 408833 87756->87769 87770 4086ea 87757->87770 87772 40857b 87758->87772 87771 4087c6 87760->87771 87774 4084de 87761->87774 87775 401e65 22 API calls 87762->87775 87776 401e65 22 API calls 87763->87776 87777 4020f6 28 API calls 87764->87777 87779 4020f6 28 API calls 87766->87779 88300 41ca73 32 API calls 87767->88300 87780 4083ba 87768->87780 87782 401fd8 11 API calls 87769->87782 87783 401e65 22 API calls 87770->87783 88301 409196 28 API calls 87771->88301 88292 407c2f 77 API calls 87772->88292 88289 43bb2c 39 API calls _strftime 87774->88289 87787 407da7 87775->87787 87788 408374 87776->87788 87789 408155 87777->87789 87778 4082e9 87790 4020f6 28 API calls 87778->87790 87791 408534 87779->87791 87803 40417e 28 API calls 87780->87803 88261 409097 28 API calls 87781->88261 87794 40883c 87782->87794 87795 4086f4 87783->87795 87796 4081be 87785->87796 87817 40417e 28 API calls 87787->87817 87798 401e65 22 API calls 87788->87798 87799 40417e 28 API calls 87789->87799 87800 4082f8 87790->87800 88291 407c2f 77 API calls 87791->88291 87824 40417e 28 API calls 87795->87824 87814 4081cb ShellExecuteW 87796->87814 87807 408381 87798->87807 87808 408164 87799->87808 88271 407ae8 30 API calls 87800->88271 87802 408245 88262 407877 62 API calls 87802->88262 87811 4083cb 87803->87811 88273 41b0d8 81 API calls 87807->88273 87819 401e65 22 API calls 87808->87819 87810 408539 87810->87719 87821 408544 87810->87821 88274 409049 28 API calls 87811->88274 87813 4087db 87834 4087e3 CreateDirectoryW 87813->87834 87826 41bd4f 28 API calls 87814->87826 87816 4084eb 87828 401e65 22 API calls 87816->87828 87829 407db8 87817->87829 87831 40816e 87819->87831 87820 408301 87832 402f31 28 API calls 87820->87832 87822 401e65 22 API calls 87821->87822 87868 40854f 87822->87868 87823 40824a 88263 409049 28 API calls 87823->88263 87833 408706 87824->87833 87825 408580 ___scrt_fastfail 87825->87719 87835 401e65 22 API calls 87825->87835 87836 4081e5 87826->87836 87838 4084f7 87828->87838 87845 407dc1 GetFileAttributesW 87829->87845 87830 40838a 87830->87719 87857 40417e 28 API calls 87831->87857 87839 408315 87832->87839 87841 401e65 22 API calls 87833->87841 87844 401f09 11 API calls 87834->87844 87879 4085b5 87835->87879 87842 4052fd 28 API calls 87836->87842 87837 407f17 87843 401e65 22 API calls 87837->87843 87854 4084fe SetFileAttributesW 87838->87854 88272 402ea1 28 API calls 87839->88272 87850 408711 87841->87850 87852 4081f5 87842->87852 87853 407f29 87843->87853 87851 4087f3 87844->87851 87855 407dd0 87845->87855 87856 407dde 87845->87856 87847 40831f 87858 404aa1 60 API calls 87847->87858 87848 4083e7 88275 40921c 28 API calls 87848->88275 88299 408847 128 API calls 2 library calls 87850->88299 88302 40324f 28 API calls 87851->88302 87861 402093 28 API calls 87852->87861 87862 401e65 22 API calls 87853->87862 88290 41be87 28 API calls 87854->88290 88222 41c322 9 API calls 87855->88222 87874 407de3 DeleteFileW 87856->87874 87865 408180 87857->87865 87867 40832c 87858->87867 87859 408265 87869 41bd4f 28 API calls 87859->87869 87871 408204 87861->87871 87872 407f36 87862->87872 87866 401e65 22 API calls 87865->87866 87875 40818b 87866->87875 87876 401fd8 11 API calls 87867->87876 88297 409097 28 API calls 87868->88297 87877 408270 87869->87877 87870 4087fe 88303 409097 28 API calls 87870->88303 87880 41b580 79 API calls 87871->87880 88182 402f31 87872->88182 87873 408514 87895 404aa1 60 API calls 87873->87895 87885 407ddc 87874->87885 88260 408ac0 125 API calls 87875->88260 87888 408335 87876->87888 87889 4052fd 28 API calls 87877->87889 87892 401e65 22 API calls 87879->87892 87893 408209 87880->87893 87886 407df7 87885->87886 87887 407e1c 87885->87887 87896 41bd4f 28 API calls 87886->87896 88223 41bdaf 28 API calls 87887->88223 87897 401fd8 11 API calls 87888->87897 87899 408280 87889->87899 87890 40871f 87890->87719 87901 40872e Sleep 87890->87901 87902 4085d0 87892->87902 87903 401fd8 11 API calls 87893->87903 87894 407f41 88187 402f10 87894->88187 87895->87719 87907 407e00 87896->87907 88074 40812e 87897->88074 87910 402093 28 API calls 87899->87910 87900 4083f9 88276 43f977 22 API calls __dosmaperr 87900->88276 87911 401e65 22 API calls 87901->87911 88293 43bb2c 39 API calls _strftime 87902->88293 87943 408215 87903->87943 87905 4086a7 88298 407877 62 API calls 87905->88298 87914 4052fd 28 API calls 87907->87914 87909 407e26 87916 404aa1 60 API calls 87909->87916 87917 40828f 87910->87917 87919 408743 87911->87919 87922 407e10 87914->87922 87923 407e32 87916->87923 87926 41b580 79 API calls 87917->87926 87927 4020f6 28 API calls 87919->87927 87920 408490 87935 401f09 11 API calls 87920->87935 87921 402f10 28 API calls 87929 407f59 87921->87929 88224 402093 87922->88224 87930 41bd4f 28 API calls 87923->87930 87924 401fd8 11 API calls 87924->87719 87925 408411 87932 401f09 11 API calls 87925->87932 87931 408294 87926->87931 87927->87873 87934 402f10 28 API calls 87929->87934 87936 407e3f 87930->87936 87939 401fd8 11 API calls 87931->87939 87938 408422 87932->87938 87933 4085dd 87933->87868 87940 4085e6 87933->87940 87941 407f63 87934->87941 87935->87719 87942 4052fd 28 API calls 87936->87942 87945 408445 87938->87945 87946 408427 87938->87946 87939->87943 87947 408635 87940->87947 87948 4085eb 87940->87948 88192 404aa1 87941->88192 87942->87922 87943->87920 88279 40531e 87945->88279 88277 409196 28 API calls 87946->88277 87950 402093 28 API calls 87947->87950 87948->87719 87954 4085f4 87948->87954 87956 408646 87950->87956 87960 402093 28 API calls 87954->87960 87964 4020f6 28 API calls 87956->87964 87958 40843a 88278 407877 62 API calls 87958->88278 87959 40845e 88284 406383 87959->88284 87962 408605 87960->87962 87968 4020f6 28 API calls 87962->87968 87970 408655 87964->87970 87965 401fd8 11 API calls 87971 407e6f 87965->87971 87974 408614 87968->87974 87969 401fd8 11 API calls 87975 407f84 87969->87975 87976 40417e 28 API calls 87970->87976 87977 401e65 22 API calls 87971->87977 87972 408440 87978 40847e 87972->87978 87981 40417e 28 API calls 87974->87981 87982 401fd8 11 API calls 87975->87982 87983 408664 87976->87983 87997 407e7a 87977->87997 87980 401f09 11 API calls 87978->87980 87979 404aa1 60 API calls 87984 408475 87979->87984 87985 408487 87980->87985 87986 408623 87981->87986 87987 407f8d 87982->87987 88295 41bcef 28 API calls 87983->88295 87989 401fd8 11 API calls 87984->87989 87990 401f09 11 API calls 87985->87990 88294 41bcef 28 API calls 87986->88294 87992 401e65 22 API calls 87987->87992 87989->87978 87990->87920 87995 407f97 87992->87995 87993 408631 88296 408ac0 125 API calls 87993->88296 88210 40417e 87995->88210 87996 408679 87999 401fd8 11 API calls 87996->87999 87997->87920 88254 40907f 28 API calls 87997->88254 88002 408685 DeleteFileA 87999->88002 88002->87719 88003 407ea4 88255 402f72 28 API calls 88003->88255 88006 407fb5 88220 4052fd 88006->88220 88007 407eb3 88256 401f13 28 API calls 88007->88256 88010 407ebe 88257 401f09 88010->88257 88011 407fc5 88013 402093 28 API calls 88011->88013 88015 407fd5 88013->88015 88014 407ec7 88018 40417e 28 API calls 88014->88018 88016 41b580 79 API calls 88015->88016 88017 407fda 88016->88017 88019 401fd8 11 API calls 88017->88019 88020 407edb 88018->88020 88021 407fe6 88019->88021 88304 407877 62 API calls 88020->88304 88022 401f09 11 API calls 88021->88022 88023 407fef 88022->88023 88024 401e65 22 API calls 88023->88024 88025 407ff9 88024->88025 88026 40417e 28 API calls 88025->88026 88027 40800b 88026->88027 88028 401e65 22 API calls 88027->88028 88029 408019 88028->88029 88030 43f8c7 39 API calls 88029->88030 88031 408026 88030->88031 88032 40799e 69 API calls 88031->88032 88033 408037 88032->88033 88034 408043 88033->88034 88035 4080ba 88033->88035 88036 401e65 22 API calls 88034->88036 88037 401e65 22 API calls 88035->88037 88038 408048 88036->88038 88039 4080bf 88037->88039 88041 40417e 28 API calls 88038->88041 88040 40417e 28 API calls 88039->88040 88042 4080d0 88040->88042 88043 408059 88041->88043 88044 41bd4f 28 API calls 88042->88044 88045 41bd4f 28 API calls 88043->88045 88046 4080dd 88044->88046 88047 408066 88045->88047 88048 4052fd 28 API calls 88046->88048 88049 4052fd 28 API calls 88047->88049 88050 4080ed 88048->88050 88051 408076 88049->88051 88052 402093 28 API calls 88050->88052 88053 402093 28 API calls 88051->88053 88054 4080fc 88052->88054 88055 408081 88053->88055 88056 41b580 79 API calls 88054->88056 88057 41b580 79 API calls 88055->88057 88058 408101 88056->88058 88059 408086 88057->88059 88060 401fd8 11 API calls 88058->88060 88061 401fd8 11 API calls 88059->88061 88062 40810d 88060->88062 88063 408092 88061->88063 88064 401f09 11 API calls 88062->88064 88065 401f09 11 API calls 88063->88065 88066 4080b8 88064->88066 88067 40809b 88065->88067 88068 404e26 98 API calls 88066->88068 88069 402093 28 API calls 88067->88069 88070 408122 88068->88070 88071 4080aa 88069->88071 88072 404ee2 98 API calls 88070->88072 88073 404aa1 60 API calls 88071->88073 88072->88074 88073->88066 88074->87924 88076 40210c 88075->88076 88311 4023ce 88076->88311 88078 402126 88315 402569 88078->88315 88080 402134 SetEvent 88080->87689 88347 40423a 88081->88347 88085 4020df 11 API calls 88084->88085 88086 41bebf 88085->88086 88090 41bf31 88086->88090 88093 4041a2 28 API calls 88086->88093 88100 401fd8 11 API calls 88086->88100 88105 41bf2f 88086->88105 88353 401fe2 88086->88353 88362 41cec5 28 API calls 88086->88362 88087 401fd8 11 API calls 88088 41bf61 88087->88088 88089 401fd8 11 API calls 88088->88089 88091 41bf69 88089->88091 88092 4041a2 28 API calls 88090->88092 88094 401fd8 11 API calls 88091->88094 88095 41bf3d 88092->88095 88093->88086 88096 407d48 88094->88096 88097 401fe2 28 API calls 88095->88097 88096->87698 88096->87699 88099 41bf46 88097->88099 88101 401fd8 11 API calls 88099->88101 88100->88086 88102 41bf4e 88101->88102 88363 41cec5 28 API calls 88102->88363 88105->88087 88107 4020e7 88106->88107 88108 4023ce 11 API calls 88107->88108 88109 4020f2 88108->88109 88110 4046f7 88109->88110 88111 4020df 11 API calls 88110->88111 88112 404707 88111->88112 88113 4020df 11 API calls 88112->88113 88114 40471e 88113->88114 88115 404736 88114->88115 88369 40482d socket CreateEventW WSAStartup 88114->88369 88117 4048c8 connect 88115->88117 88118 404a1b 88117->88118 88119 4048ee 88117->88119 88120 40497e 88118->88120 88121 404a21 WSAGetLastError 88118->88121 88119->88120 88122 404923 88119->88122 88125 40531e 28 API calls 88119->88125 88177 401e65 88120->88177 88121->88120 88123 404a31 88121->88123 88370 420cf1 27 API calls 88122->88370 88126 404932 88123->88126 88127 404a36 88123->88127 88130 40490f 88125->88130 88133 402093 28 API calls 88126->88133 88375 41cb72 30 API calls 88127->88375 88129 40492b 88129->88126 88132 404941 88129->88132 88134 402093 28 API calls 88130->88134 88131 404a40 88136 4052fd 28 API calls 88131->88136 88142 404950 88132->88142 88143 404987 88132->88143 88137 404a80 88133->88137 88135 40491e 88134->88135 88138 41b580 79 API calls 88135->88138 88139 404a50 88136->88139 88140 402093 28 API calls 88137->88140 88138->88122 88141 402093 28 API calls 88139->88141 88144 404a8f 88140->88144 88146 404a5f 88141->88146 88148 402093 28 API calls 88142->88148 88372 421ad1 53 API calls 88143->88372 88145 41b580 79 API calls 88144->88145 88145->88120 88149 41b580 79 API calls 88146->88149 88151 40495f 88148->88151 88152 404a64 88149->88152 88150 40498f 88153 4049c4 88150->88153 88154 404994 88150->88154 88155 402093 28 API calls 88151->88155 88157 401fd8 11 API calls 88152->88157 88374 420e97 28 API calls 88153->88374 88158 402093 28 API calls 88154->88158 88159 40496e 88155->88159 88157->88120 88161 4049a3 88158->88161 88162 41b580 79 API calls 88159->88162 88160 4049cc 88164 4049f9 CreateEventW CreateEventW 88160->88164 88166 402093 28 API calls 88160->88166 88165 402093 28 API calls 88161->88165 88163 404973 88162->88163 88371 41e7a2 RtlDeleteCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 88163->88371 88164->88120 88167 4049b2 88165->88167 88169 4049e2 88166->88169 88170 41b580 79 API calls 88167->88170 88171 402093 28 API calls 88169->88171 88172 4049b7 88170->88172 88173 4049f1 88171->88173 88373 421143 51 API calls 88172->88373 88175 41b580 79 API calls 88173->88175 88176 4049f6 88175->88176 88176->88164 88178 401e6d 88177->88178 88179 401e75 88178->88179 88376 402158 22 API calls 88178->88376 88179->87837 88183 4020df 11 API calls 88182->88183 88184 402f3d 88183->88184 88377 4032a0 88184->88377 88186 402f59 88186->87894 88381 401fb0 88187->88381 88189 402f1e 88384 402055 88189->88384 88193 404ab4 88192->88193 88400 40520c 88193->88400 88195 404ac9 ctype 88196 404b40 WaitForSingleObject 88195->88196 88197 404b20 88195->88197 88199 404b56 88196->88199 88198 404b32 send 88197->88198 88200 404b7b 88198->88200 88406 4210cb 53 API calls 88199->88406 88203 401fd8 11 API calls 88200->88203 88202 404b69 SetEvent 88202->88200 88204 404b83 88203->88204 88205 401fd8 11 API calls 88204->88205 88206 404b8b 88205->88206 88207 401fd8 88206->88207 88208 4023ce 11 API calls 88207->88208 88209 401fe1 88208->88209 88209->87969 88211 404186 88210->88211 88415 402252 88211->88415 88213 404191 88419 4041bc 88213->88419 88216 41bd4f 88217 41bd63 88216->88217 88218 40520c 28 API calls 88217->88218 88219 41bd6b 88218->88219 88219->88006 88433 40535f 28 API calls 88220->88433 88222->87885 88223->87909 88225 40209b 88224->88225 88226 4023ce 11 API calls 88225->88226 88227 4020a6 88226->88227 88434 4024ed 88227->88434 88230 41b580 88231 41b631 88230->88231 88232 41b596 GetLocalTime 88230->88232 88233 401fd8 11 API calls 88231->88233 88234 40531e 28 API calls 88232->88234 88235 41b639 88233->88235 88236 41b5d8 88234->88236 88238 401fd8 11 API calls 88235->88238 88237 406383 28 API calls 88236->88237 88239 41b5e4 88237->88239 88240 407e63 88238->88240 88241 402f10 28 API calls 88239->88241 88240->87965 88242 41b5f0 88241->88242 88243 406383 28 API calls 88242->88243 88244 41b5fc 88243->88244 88445 40723b 76 API calls 88244->88445 88246 41b60a 88247 401fd8 11 API calls 88246->88247 88248 41b616 88247->88248 88249 401fd8 11 API calls 88248->88249 88250 41b61f 88249->88250 88251 401fd8 11 API calls 88250->88251 88252 41b628 88251->88252 88253 401fd8 11 API calls 88252->88253 88253->88231 88254->88003 88255->88007 88256->88010 88258 402252 11 API calls 88257->88258 88259 401f12 88258->88259 88259->88014 88260->87719 88261->87802 88262->87823 88263->87859 88265 4020bf 88264->88265 88266 4023ce 11 API calls 88265->88266 88267 4020ca 88266->88267 88268 40250a 28 API calls 88267->88268 88269 4020d9 88268->88269 88269->87725 88270->87778 88271->87820 88272->87847 88273->87830 88274->87848 88275->87900 88276->87925 88277->87958 88278->87972 88280 4020df 11 API calls 88279->88280 88281 40532a 88280->88281 88282 4032a0 28 API calls 88281->88282 88283 405346 88282->88283 88283->87959 88446 4051ef 88284->88446 88286 406391 88287 402055 11 API calls 88286->88287 88288 4063a0 88287->88288 88288->87979 88289->87816 88290->87873 88291->87810 88292->87825 88293->87933 88294->87993 88295->87993 88296->87996 88297->87905 88298->87830 88299->87890 88300->87719 88301->87813 88302->87870 88303->88020 88304->87943 88306 402163 88305->88306 88307 40219f 88306->88307 88455 402730 11 API calls 88306->88455 88307->87756 88309 402184 88456 402712 11 API calls std::_Deallocate 88309->88456 88312 4023d8 88311->88312 88313 402428 88311->88313 88312->88313 88325 4027a7 11 API calls std::_Deallocate 88312->88325 88313->88078 88326 402888 88315->88326 88317 40257d 88318 402592 88317->88318 88319 4025a7 88317->88319 88331 402a34 22 API calls 88318->88331 88333 4028e8 88319->88333 88322 40259b 88332 4029da 22 API calls 88322->88332 88324 4025a5 88324->88080 88325->88313 88327 402890 88326->88327 88328 402898 88327->88328 88344 402ca3 22 API calls 88327->88344 88328->88317 88331->88322 88332->88324 88334 4028f1 88333->88334 88335 402953 88334->88335 88336 4028fb 88334->88336 88346 4028a4 22 API calls 88335->88346 88339 402904 88336->88339 88340 402917 88336->88340 88345 402cae 28 API calls __EH_prolog 88339->88345 88342 402915 88340->88342 88343 4023ce 11 API calls 88340->88343 88342->88324 88343->88342 88345->88342 88348 404243 88347->88348 88349 4023ce 11 API calls 88348->88349 88350 40424e 88349->88350 88351 402569 28 API calls 88350->88351 88352 4041b5 88351->88352 88352->87692 88354 401ff1 88353->88354 88355 402039 88353->88355 88356 4023ce 11 API calls 88354->88356 88355->88086 88357 401ffa 88356->88357 88358 40203c 88357->88358 88360 402015 88357->88360 88365 40267a 88358->88365 88364 403098 28 API calls 88360->88364 88362->88086 88363->88105 88364->88355 88366 40268b 88365->88366 88367 4023ce 11 API calls 88366->88367 88368 40270b 88367->88368 88368->88355 88369->88115 88370->88129 88371->88120 88372->88150 88373->88163 88374->88160 88375->88131 88379 4032aa 88377->88379 88378 4032c9 88378->88186 88379->88378 88380 4028e8 28 API calls 88379->88380 88380->88378 88390 4025f0 88381->88390 88383 401fbd 88383->88189 88385 402061 88384->88385 88386 4023ce 11 API calls 88385->88386 88387 40207b 88386->88387 88388 40267a 11 API calls 88387->88388 88389 40208d 88388->88389 88389->87921 88391 402888 22 API calls 88390->88391 88392 402602 88391->88392 88393 402672 88392->88393 88394 402629 88392->88394 88399 4028a4 22 API calls 88393->88399 88396 4028e8 28 API calls 88394->88396 88398 40263b 88394->88398 88396->88398 88398->88383 88401 405214 88400->88401 88402 4023ce 11 API calls 88401->88402 88403 40521f 88402->88403 88407 405234 88403->88407 88405 40522e 88405->88195 88406->88202 88408 405240 88407->88408 88409 40526e 88407->88409 88411 4028e8 28 API calls 88408->88411 88414 4028a4 22 API calls 88409->88414 88413 40524a 88411->88413 88413->88405 88416 4022ac 88415->88416 88417 40225c 88415->88417 88416->88213 88417->88416 88423 402779 11 API calls std::_Deallocate 88417->88423 88420 4041c8 88419->88420 88424 4041d9 88420->88424 88422 40419c 88422->88216 88423->88416 88425 4041e9 88424->88425 88426 404206 88425->88426 88427 4041ef 88425->88427 88432 4027e6 28 API calls 88426->88432 88431 404267 28 API calls 88427->88431 88430 404204 88430->88422 88431->88430 88432->88430 88435 4024f9 88434->88435 88438 40250a 88435->88438 88437 4020b1 88437->88230 88439 40251a 88438->88439 88440 402520 88439->88440 88441 402535 88439->88441 88443 402569 28 API calls 88440->88443 88442 4028e8 28 API calls 88441->88442 88444 402533 88442->88444 88443->88444 88444->88437 88445->88246 88447 4051fb 88446->88447 88450 405274 88447->88450 88449 405208 88449->88286 88451 405282 88450->88451 88454 4028a4 22 API calls 88451->88454 88455->88309 88456->88307 88457 216003c 88458 2160049 88457->88458 88472 2160e0f SetErrorMode SetErrorMode 88458->88472 88463 2160265 88464 21602ce VirtualProtect 88463->88464 88466 216030b 88464->88466 88465 2160439 VirtualFree 88470 21605f4 LoadLibraryA 88465->88470 88471 21604be 88465->88471 88466->88465 88467 21604e3 LoadLibraryA 88467->88471 88469 21608c7 88470->88469 88471->88467 88471->88470 88473 2160223 88472->88473 88474 2160d90 88473->88474 88475 2160dad 88474->88475 88476 2160dbb GetPEB 88475->88476 88477 2160238 VirtualAlloc 88475->88477 88476->88477 88477->88463 88478 434918 88479 434924 ___BuildCatchObject 88478->88479 88505 434627 88479->88505 88481 43492b 88483 434954 88481->88483 88793 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 88481->88793 88491 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 88483->88491 88794 4442d2 5 API calls ___crtLCMapStringA 88483->88794 88485 43496d 88487 434973 ___BuildCatchObject 88485->88487 88795 444276 5 API calls ___crtLCMapStringA 88485->88795 88488 4349f3 88516 434ba5 88488->88516 88491->88488 88796 443487 35 API calls 4 library calls 88491->88796 88498 434a15 88499 434a1f 88498->88499 88798 4434bf 28 API calls _abort 88498->88798 88501 434a28 88499->88501 88799 443462 28 API calls _abort 88499->88799 88800 43479e 13 API calls 2 library calls 88501->88800 88504 434a30 88504->88487 88506 434630 88505->88506 88801 434cb6 IsProcessorFeaturePresent 88506->88801 88508 43463c 88802 438fb1 10 API calls 4 library calls 88508->88802 88510 434641 88511 434645 88510->88511 88803 44415f IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 88510->88803 88511->88481 88513 43464e 88514 43465c 88513->88514 88804 438fda 8 API calls 3 library calls 88513->88804 88514->88481 88805 436f10 88516->88805 88519 4349f9 88520 444223 88519->88520 88807 44f0d9 88520->88807 88522 44422c 88523 434a02 88522->88523 88811 446895 35 API calls 88522->88811 88525 40ea00 88523->88525 88813 41cbe1 LoadLibraryA GetProcAddress 88525->88813 88527 40ea1c GetModuleFileNameW 88818 40f3fe 88527->88818 88529 40ea38 88530 4020f6 28 API calls 88529->88530 88531 40ea47 88530->88531 88532 4020f6 28 API calls 88531->88532 88533 40ea56 88532->88533 88534 41beac 28 API calls 88533->88534 88535 40ea5f 88534->88535 88833 40fb52 88535->88833 88537 40ea68 88538 401e8d 11 API calls 88537->88538 88539 40ea71 88538->88539 88540 40ea84 88539->88540 88541 40eace 88539->88541 88938 40fbee 116 API calls 88540->88938 88542 401e65 22 API calls 88541->88542 88544 40eade 88542->88544 88548 401e65 22 API calls 88544->88548 88545 40ea96 88546 401e65 22 API calls 88545->88546 88547 40eaa2 88546->88547 88939 410f72 36 API calls __EH_prolog 88547->88939 88549 40eafd 88548->88549 88551 40531e 28 API calls 88549->88551 88553 40eb0c 88551->88553 88552 40eab4 88940 40fb9f 77 API calls 88552->88940 88555 406383 28 API calls 88553->88555 88556 40eb18 88555->88556 88558 401fe2 28 API calls 88556->88558 88557 40eabd 88941 40f3eb 70 API calls 88557->88941 88560 40eb24 88558->88560 88561 401fd8 11 API calls 88560->88561 88562 40eb2d 88561->88562 88564 401fd8 11 API calls 88562->88564 88563 401fd8 11 API calls 88565 40ef36 88563->88565 88566 40eb36 88564->88566 88797 443396 GetModuleHandleW 88565->88797 88567 401e65 22 API calls 88566->88567 88568 40eb3f 88567->88568 88837 401fc0 88568->88837 88570 40eb4a 88571 401e65 22 API calls 88570->88571 88572 40eb63 88571->88572 88573 401e65 22 API calls 88572->88573 88574 40eb7e 88573->88574 88575 40ebe9 88574->88575 88942 406c59 28 API calls 88574->88942 88576 401e65 22 API calls 88575->88576 88581 40ebf6 88576->88581 88578 40ebab 88579 401fe2 28 API calls 88578->88579 88580 40ebb7 88579->88580 88583 401fd8 11 API calls 88580->88583 88582 40ec3d 88581->88582 88588 413584 3 API calls 88581->88588 88841 40d0a4 88582->88841 88585 40ebc0 88583->88585 88943 413584 RegOpenKeyExA 88585->88943 88586 40ec43 88587 40eac6 88586->88587 88844 41b354 88586->88844 88587->88563 88594 40ec21 88588->88594 88592 40f38a 89030 4139e4 30 API calls 88592->89030 88593 40ec5e 88595 40ecb1 88593->88595 88861 407751 88593->88861 88594->88582 88946 4139e4 30 API calls 88594->88946 88598 401e65 22 API calls 88595->88598 88601 40ecba 88598->88601 88600 40f3a0 89031 4124b0 65 API calls ___scrt_fastfail 88600->89031 88608 40ecc6 88601->88608 88609 40eccb 88601->88609 88603 40ec87 88607 401e65 22 API calls 88603->88607 88604 40ec7d 88947 407773 30 API calls 88604->88947 88618 40ec90 88607->88618 88950 407790 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 88608->88950 88614 401e65 22 API calls 88609->88614 88610 40ec82 88948 40729b 97 API calls 88610->88948 88616 40ecd4 88614->88616 88615 40f3ba 89033 413a5e RegOpenKeyExW RegDeleteValueW 88615->89033 88865 41bcef 28 API calls 88616->88865 88618->88595 88622 40ecac 88618->88622 88619 40ecdf 88866 401f13 28 API calls 88619->88866 88949 40729b 97 API calls 88622->88949 88623 40f3cd 88626 401f09 11 API calls 88623->88626 88624 40ecea 88627 401f09 11 API calls 88624->88627 88628 40f3d7 88626->88628 88630 40ecf3 88627->88630 88629 401f09 11 API calls 88628->88629 88631 40f3e0 88629->88631 88632 401e65 22 API calls 88630->88632 89034 40dd7d 27 API calls 88631->89034 88634 40ecfc 88632->88634 88637 401e65 22 API calls 88634->88637 88635 40f3e5 89035 414f65 169 API calls _strftime 88635->89035 88639 40ed16 88637->88639 88640 401e65 22 API calls 88639->88640 88641 40ed30 88640->88641 88642 401e65 22 API calls 88641->88642 88643 40ed49 88642->88643 88645 401e65 22 API calls 88643->88645 88674 40edb6 88643->88674 88644 40edc5 88646 401e65 22 API calls 88644->88646 88651 40ee4a 88644->88651 88648 40ed5e _wcslen 88645->88648 88647 40edd7 88646->88647 88649 401e65 22 API calls 88647->88649 88652 401e65 22 API calls 88648->88652 88648->88674 88654 40ede9 88649->88654 88650 40ef41 ___scrt_fastfail 89013 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 88650->89013 88675 40ee45 ___scrt_fastfail 88651->88675 88653 40ed79 88652->88653 88657 401e65 22 API calls 88653->88657 88656 401e65 22 API calls 88654->88656 88658 40edfb 88656->88658 88659 40ed8e 88657->88659 88661 401e65 22 API calls 88658->88661 88951 40da6f 88659->88951 88660 40ef8c 88662 401e65 22 API calls 88660->88662 88663 40ee24 88661->88663 88664 40efb1 88662->88664 88669 401e65 22 API calls 88663->88669 88670 402093 28 API calls 88664->88670 88668 40edad 88671 401f09 11 API calls 88668->88671 88672 40ee35 88669->88672 88673 40efc3 88670->88673 88671->88674 88867 40ce34 88672->88867 89014 4137aa 14 API calls 88673->89014 88674->88644 88674->88650 88675->88651 89010 413982 31 API calls 88675->89010 88679 40eede ctype 88683 401e65 22 API calls 88679->88683 88680 40efd9 88681 401e65 22 API calls 88680->88681 88682 40efe5 88681->88682 89015 43bb2c 39 API calls _strftime 88682->89015 88686 40eef5 88683->88686 88685 40eff2 88687 40f01f 88685->88687 89016 41ce2c 87 API calls ___scrt_fastfail 88685->89016 88686->88660 88688 401e65 22 API calls 88686->88688 88692 402093 28 API calls 88687->88692 88690 40ef12 88688->88690 89011 41bcef 28 API calls 88690->89011 88691 40f003 CreateThread 88691->88687 89180 41d4ee 10 API calls 88691->89180 88695 40f034 88692->88695 88694 40ef1e 89012 40f4af 106 API calls 88694->89012 88696 402093 28 API calls 88695->88696 88698 40f043 88696->88698 88700 41b580 79 API calls 88698->88700 88699 40ef23 88699->88660 88701 40ef2a 88699->88701 88702 40f048 88700->88702 88701->88587 88703 401e65 22 API calls 88702->88703 88704 40f054 88703->88704 88705 401e65 22 API calls 88704->88705 88706 40f066 88705->88706 88707 401e65 22 API calls 88706->88707 88708 40f086 88707->88708 89017 43bb2c 39 API calls _strftime 88708->89017 88710 40f093 88711 401e65 22 API calls 88710->88711 88712 40f09e 88711->88712 88713 401e65 22 API calls 88712->88713 88714 40f0af 88713->88714 88715 401e65 22 API calls 88714->88715 88716 40f0c4 88715->88716 88717 401e65 22 API calls 88716->88717 88718 40f0d5 88717->88718 88719 40f0dc StrToIntA 88718->88719 89018 409e1f 171 API calls _wcslen 88719->89018 88721 40f0ee 88722 401e65 22 API calls 88721->88722 88723 40f0f7 88722->88723 88724 40f13c 88723->88724 89019 43455e 22 API calls 2 library calls 88723->89019 88726 401e65 22 API calls 88724->88726 88731 40f14c 88726->88731 88727 40f10c 88728 401e65 22 API calls 88727->88728 88729 40f11f 88728->88729 88732 40f126 CreateThread 88729->88732 88730 40f194 88734 401e65 22 API calls 88730->88734 88731->88730 89020 43455e 22 API calls 2 library calls 88731->89020 88732->88724 89184 41a045 109 API calls 2 library calls 88732->89184 88739 40f19d 88734->88739 88735 40f161 88736 401e65 22 API calls 88735->88736 88737 40f173 88736->88737 88742 40f17a CreateThread 88737->88742 88738 40f207 88740 401e65 22 API calls 88738->88740 88739->88738 88741 401e65 22 API calls 88739->88741 88745 40f210 88740->88745 88743 40f1b9 88741->88743 88742->88730 89181 41a045 109 API calls 2 library calls 88742->89181 88746 401e65 22 API calls 88743->88746 88744 40f255 89025 41b69e 80 API calls 88744->89025 88745->88744 88748 401e65 22 API calls 88745->88748 88749 40f1ce 88746->88749 88751 40f225 88748->88751 89021 40da23 32 API calls 88749->89021 88750 40f25e 89026 401f13 28 API calls 88750->89026 88756 401e65 22 API calls 88751->88756 88753 40f269 88755 401f09 11 API calls 88753->88755 88758 40f272 CreateThread 88755->88758 88759 40f23a 88756->88759 88757 40f1e1 89022 401f13 28 API calls 88757->89022 88763 40f293 CreateThread 88758->88763 88764 40f29f 88758->88764 89182 40f7e2 120 API calls 88758->89182 89023 43bb2c 39 API calls _strftime 88759->89023 88762 40f1ed 88765 401f09 11 API calls 88762->88765 88763->88764 89183 412132 138 API calls 88763->89183 88766 40f2b4 88764->88766 88767 40f2a8 CreateThread 88764->88767 88769 40f1f6 CreateThread 88765->88769 88771 40f307 88766->88771 88773 402093 28 API calls 88766->88773 88767->88766 89185 412716 38 API calls ___scrt_fastfail 88767->89185 88769->88738 89179 401a6d 49 API calls _strftime 88769->89179 88770 40f247 89024 40c19d 7 API calls 88770->89024 89027 41353a RegOpenKeyExA RegQueryValueExA RegCloseKey 88771->89027 88774 40f2d7 88773->88774 88775 4052fd 28 API calls 88774->88775 88778 40f2e7 88775->88778 88777 40f31f 88777->88631 89028 41bcef 28 API calls 88777->89028 88779 402093 28 API calls 88778->88779 88781 40f2f6 88779->88781 88783 41b580 79 API calls 88781->88783 88782 40f338 89029 413656 31 API calls 88782->89029 88784 40f2fb 88783->88784 88785 401fd8 11 API calls 88784->88785 88785->88771 88787 40f34e 88788 401f09 11 API calls 88787->88788 88791 40f359 88788->88791 88789 40f381 DeleteFileW 88790 40f388 88789->88790 88789->88791 89032 41bcef 28 API calls 88790->89032 88791->88789 88791->88790 88792 40f36f Sleep 88791->88792 88792->88791 88793->88481 88794->88485 88795->88491 88796->88488 88797->88498 88798->88499 88799->88501 88800->88504 88801->88508 88802->88510 88803->88513 88804->88511 88806 434bb8 GetStartupInfoW 88805->88806 88806->88519 88808 44f0e2 88807->88808 88810 44f0eb 88807->88810 88812 44efd8 48 API calls 5 library calls 88808->88812 88810->88522 88811->88522 88812->88810 88814 41cc20 LoadLibraryA GetProcAddress 88813->88814 88815 41cc10 GetModuleHandleA GetProcAddress 88813->88815 88816 41cc49 44 API calls 88814->88816 88817 41cc39 LoadLibraryA GetProcAddress 88814->88817 88815->88814 88816->88527 88817->88816 89036 41b539 FindResourceA 88818->89036 88822 40f428 ctype 88823 4020b7 28 API calls 88822->88823 88824 40f443 88823->88824 88825 401fe2 28 API calls 88824->88825 88826 40f44e 88825->88826 88827 401fd8 11 API calls 88826->88827 88828 40f457 88827->88828 88829 43bda0 new 21 API calls 88828->88829 88830 40f468 ctype 88829->88830 89046 406e13 88830->89046 88832 40f49b 88832->88529 88834 40fb5e 88833->88834 88836 40fb65 88833->88836 89051 402163 11 API calls 88834->89051 88836->88537 88838 401fd2 88837->88838 88839 401fc9 88837->88839 88838->88570 89052 4025e0 28 API calls 88839->89052 89053 401fab 88841->89053 88843 40d0ae CreateMutexA GetLastError 88843->88586 89054 41c048 88844->89054 88849 401fe2 28 API calls 88850 41b390 88849->88850 88851 401fd8 11 API calls 88850->88851 88852 41b398 88851->88852 88853 4135e1 31 API calls 88852->88853 88856 41b3ee 88852->88856 88854 41b3c1 88853->88854 88855 41b3cc StrToIntA 88854->88855 88857 41b3e3 88855->88857 88858 41b3da 88855->88858 88856->88593 88860 401fd8 11 API calls 88857->88860 89063 41cffa 22 API calls 88858->89063 88860->88856 88862 407765 88861->88862 88863 413584 3 API calls 88862->88863 88864 40776c 88863->88864 88864->88603 88864->88604 88865->88619 88866->88624 88868 40ce47 _wcslen 88867->88868 88869 40ce51 88868->88869 88870 40ce9b 88868->88870 88872 40ce5a CreateDirectoryW 88869->88872 88871 40da6f 32 API calls 88870->88871 88873 40cead 88871->88873 89091 409196 28 API calls 88872->89091 89098 401f13 28 API calls 88873->89098 88876 40ce76 89092 403014 88876->89092 88877 40cebb 88879 401f09 11 API calls 88877->88879 88881 40cec4 88879->88881 88886 40cefa 88881->88886 88887 40cedd 88881->88887 88883 40ce90 88884 401f09 11 API calls 88883->88884 88885 40ce99 88884->88885 88885->88877 88888 40cf03 CopyFileW 88886->88888 88889 40cd48 31 API calls 88887->88889 88890 40cfd4 88888->88890 88891 40cf15 _wcslen 88888->88891 88923 40ceee 88889->88923 89064 40cd48 88890->89064 88891->88890 88893 40cf31 88891->88893 88894 40cf84 88891->88894 88897 40da6f 32 API calls 88893->88897 88896 40da6f 32 API calls 88894->88896 88900 40cf8a 88896->88900 88901 40cf37 88897->88901 88898 40d01a 88902 40d062 CloseHandle 88898->88902 88907 40417e 28 API calls 88898->88907 88899 40cfee 88905 40cff7 SetFileAttributesW 88899->88905 89102 401f13 28 API calls 88900->89102 89099 401f13 28 API calls 88901->89099 89090 401f04 88902->89090 88922 40d006 _wcslen 88905->88922 88911 40d030 88907->88911 88908 40cf7e 88917 401f09 11 API calls 88908->88917 88909 40cf43 88913 401f09 11 API calls 88909->88913 88910 40d07e ShellExecuteW 88914 40d091 88910->88914 88915 40d09b ExitProcess 88910->88915 89104 41bcef 28 API calls 88911->89104 88918 40cf4c 88913->88918 88919 40d0a4 CreateMutexA GetLastError 88914->88919 88916 40d043 89105 41384f RegCreateKeyW 88916->89105 88920 40cf9c 88917->88920 89100 409196 28 API calls 88918->89100 88919->88923 88927 40cfa8 CreateDirectoryW 88920->88927 88922->88898 88925 40d017 SetFileAttributesW 88922->88925 88923->88675 88924 40cf60 88928 403014 28 API calls 88924->88928 88925->88898 89103 401f04 88927->89103 88931 40cf6c 88928->88931 89101 401f13 28 API calls 88931->89101 88932 401f09 11 API calls 88932->88902 88936 40cf75 88937 401f09 11 API calls 88936->88937 88937->88908 88938->88545 88939->88552 88940->88557 88942->88578 88944 40ebdf 88943->88944 88945 4135ae RegQueryValueExA RegCloseKey 88943->88945 88944->88575 88944->88592 88945->88944 88946->88582 88947->88610 88948->88603 88949->88595 88950->88609 88952 401f86 11 API calls 88951->88952 88953 40da8b 88952->88953 88954 40dae0 88953->88954 88955 40daab 88953->88955 88957 40daa1 88953->88957 88956 41c048 2 API calls 88954->88956 89169 41b645 29 API calls 88955->89169 88961 40dae5 88956->88961 88959 40dbd4 GetLongPathNameW 88957->88959 88960 40417e 28 API calls 88959->88960 88963 40dbe9 88960->88963 88964 40dae9 88961->88964 88965 40db3b 88961->88965 88962 40dab4 89170 401f13 28 API calls 88962->89170 88967 40417e 28 API calls 88963->88967 88968 40417e 28 API calls 88964->88968 88969 40417e 28 API calls 88965->88969 88971 40dbf8 88967->88971 88973 40daf7 88968->88973 88972 40db49 88969->88972 88970 40dabe 88975 401f09 11 API calls 88970->88975 89175 40de0c 28 API calls 88971->89175 88979 40417e 28 API calls 88972->88979 88978 40417e 28 API calls 88973->88978 88975->88957 88976 40dc0b 89176 402fa5 28 API calls 88976->89176 88982 40db0d 88978->88982 88981 40db5f 88979->88981 88980 40dc16 89177 402fa5 28 API calls 88980->89177 89173 402fa5 28 API calls 88981->89173 89171 402fa5 28 API calls 88982->89171 88986 40dc20 88989 401f09 11 API calls 88986->88989 88987 40db6a 89174 401f13 28 API calls 88987->89174 88988 40db18 89172 401f13 28 API calls 88988->89172 88992 40dc2a 88989->88992 88995 401f09 11 API calls 88992->88995 88993 40db75 88997 401f09 11 API calls 88993->88997 88994 40db23 88996 401f09 11 API calls 88994->88996 88999 40dc33 88995->88999 88998 40db2c 88996->88998 89000 40db7e 88997->89000 89001 401f09 11 API calls 88998->89001 89003 401f09 11 API calls 88999->89003 89002 401f09 11 API calls 89000->89002 89001->88970 89002->88970 89004 40dc3c 89003->89004 89005 401f09 11 API calls 89004->89005 89006 40dc45 89005->89006 89007 401f09 11 API calls 89006->89007 89008 40dc4e 89007->89008 89009 401f13 28 API calls 89008->89009 89009->88668 89010->88679 89011->88694 89012->88699 89013->88660 89014->88680 89015->88685 89016->88691 89017->88710 89018->88721 89019->88727 89020->88735 89021->88757 89022->88762 89023->88770 89024->88744 89025->88750 89026->88753 89027->88777 89028->88782 89029->88787 89030->88600 89032->88615 89033->88623 89034->88635 89178 41ada8 105 API calls 89035->89178 89037 41b556 LoadResource LockResource SizeofResource 89036->89037 89038 40f419 89036->89038 89037->89038 89039 43bda0 89038->89039 89044 4461b8 ___crtLCMapStringA 89039->89044 89040 4461f6 89050 44062d 20 API calls _abort 89040->89050 89042 4461e1 RtlAllocateHeap 89043 4461f4 89042->89043 89042->89044 89043->88822 89044->89040 89044->89042 89049 443001 7 API calls 2 library calls 89044->89049 89047 4020b7 28 API calls 89046->89047 89048 406e27 89047->89048 89048->88832 89049->89044 89050->89043 89051->88836 89052->88838 89055 41b362 89054->89055 89056 41c055 GetCurrentProcess IsWow64Process 89054->89056 89058 4135e1 RegOpenKeyExA 89055->89058 89056->89055 89057 41c06c 89056->89057 89057->89055 89059 41360f RegQueryValueExA RegCloseKey 89058->89059 89060 413639 89058->89060 89059->89060 89061 402093 28 API calls 89060->89061 89062 41364e 89061->89062 89062->88849 89063->88857 89065 40cdaa 89064->89065 89066 40cd6e 89064->89066 89067 40cdeb 89065->89067 89069 40b9b7 28 API calls 89065->89069 89111 40b9b7 89066->89111 89070 40ce2c 89067->89070 89073 40b9b7 28 API calls 89067->89073 89072 40cdc1 89069->89072 89070->88898 89070->88899 89075 403014 28 API calls 89072->89075 89076 40ce02 89073->89076 89074 403014 28 API calls 89077 40cd8a 89074->89077 89080 40cdcb 89075->89080 89078 403014 28 API calls 89076->89078 89079 41384f 14 API calls 89077->89079 89081 40ce0c 89078->89081 89082 40cd9e 89079->89082 89083 41384f 14 API calls 89080->89083 89084 41384f 14 API calls 89081->89084 89085 401f09 11 API calls 89082->89085 89086 40cddf 89083->89086 89087 40ce20 89084->89087 89085->89065 89088 401f09 11 API calls 89086->89088 89089 401f09 11 API calls 89087->89089 89088->89067 89089->89070 89091->88876 89142 403222 89092->89142 89094 403022 89146 403262 89094->89146 89097 401f13 28 API calls 89097->88883 89098->88877 89099->88909 89100->88924 89101->88936 89102->88908 89104->88916 89106 4138a1 89105->89106 89109 413864 89105->89109 89107 401f09 11 API calls 89106->89107 89108 40d056 89107->89108 89108->88932 89110 41387d RegSetValueExW RegCloseKey 89109->89110 89110->89106 89118 401f86 89111->89118 89113 40b9c3 89122 40314c 89113->89122 89115 40b9df 89126 40325d 89115->89126 89119 401f8e 89118->89119 89120 402252 11 API calls 89119->89120 89121 401f99 89120->89121 89121->89113 89123 403156 89122->89123 89125 403175 89123->89125 89130 4027e6 28 API calls 89123->89130 89125->89115 89127 40323f 89126->89127 89131 4036a6 89127->89131 89129 40324c 89129->89074 89130->89125 89132 402888 22 API calls 89131->89132 89133 4036b9 89132->89133 89134 40372c 89133->89134 89135 4036de 89133->89135 89141 4028a4 22 API calls 89134->89141 89139 4036f0 89135->89139 89140 4027e6 28 API calls 89135->89140 89139->89129 89140->89139 89143 40322e 89142->89143 89152 403618 89143->89152 89145 40323b 89145->89094 89147 40326e 89146->89147 89148 402252 11 API calls 89147->89148 89149 403288 89148->89149 89165 402336 89149->89165 89153 403626 89152->89153 89154 403644 89153->89154 89155 40362c 89153->89155 89156 40365c 89154->89156 89157 40369e 89154->89157 89158 4036a6 28 API calls 89155->89158 89162 403642 89156->89162 89163 4027e6 28 API calls 89156->89163 89164 4028a4 22 API calls 89157->89164 89158->89162 89162->89145 89163->89162 89166 402347 89165->89166 89167 402252 11 API calls 89166->89167 89168 4023c7 89167->89168 89168->89097 89169->88962 89170->88970 89171->88988 89172->88994 89173->88987 89174->88993 89175->88976 89176->88980 89177->88986 89186 412829 61 API calls 89183->89186 89187 43bea8 89190 43beb4 _swprintf ___BuildCatchObject 89187->89190 89188 43bec2 89203 44062d 20 API calls _abort 89188->89203 89190->89188 89192 43beec 89190->89192 89191 43bec7 pre_c_initialization ___BuildCatchObject 89198 445909 RtlEnterCriticalSection 89192->89198 89194 43bef7 89199 43bf98 89194->89199 89198->89194 89201 43bfa6 89199->89201 89200 43bf02 89204 43bf1f RtlLeaveCriticalSection std::_Lockit::~_Lockit 89200->89204 89201->89200 89205 4497ec 36 API calls 2 library calls 89201->89205 89203->89191 89204->89191 89205->89201

                                  Executed Functions

                                  Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                  • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                  • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                  • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                  • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                  • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                  • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                  • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                  • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                  • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                  • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                  • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                  • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                  • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                  • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                  • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                  • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                  • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad$HandleModule
                                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                  • API String ID: 4236061018-3687161714
                                  • Opcode ID: 5fded5d77b72a202610b087cc82529c2f7d7b10a8ab2824fd38dfad8e3bd9f71
                                  • Instruction ID: 9b463eec3a0437fb1f175c53e93b0f4db36c95b88d1cb607187732a7b05a7934
                                  • Opcode Fuzzy Hash: 5fded5d77b72a202610b087cc82529c2f7d7b10a8ab2824fd38dfad8e3bd9f71
                                  • Instruction Fuzzy Hash: E2418BA0E8035879DB207BB65D89E3B3E5CD9857953614837B44C93550EBBCEC408EAE
                                  Function 0040EA00 Relevance: 62.0, APIs: 14, Strings: 21, Instructions: 795COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 100 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->100 79 40ec06-40ec25 call 401fab call 413584 70->79 80 40ec3e-40ec45 call 40d0a4 70->80 79->80 98 40ec27-40ec3d call 401fab call 4139e4 79->98 88 40ec47-40ec49 80->88 89 40ec4e-40ec55 80->89 92 40ef2c 88->92 93 40ec57 89->93 94 40ec59-40ec65 call 41b354 89->94 92->49 93->94 104 40ec67-40ec69 94->104 105 40ec6e-40ec72 94->105 98->80 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 100->126 104->105 108 40ecb1-40ecc4 call 401e65 call 401fab 105->108 109 40ec74 call 407751 105->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 118 40ec79-40ec7b 109->118 120 40ec87-40ec9a call 401e65 call 401fab 118->120 121 40ec7d-40ec82 call 407773 call 40729b 118->121 120->108 141 40ec9c-40eca2 120->141 121->120 156 40f3e0-40f3ea call 40dd7d call 414f65 126->156 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 141->108 144 40eca4-40ecaa 141->144 144->108 147 40ecac call 40729b 144->147 147->108 177->178 203 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->203 179 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->179 180 40edc5-40edcc 178->180 234 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 179->234 182 40ee4a-40ee54 call 409092 180->182 183 40edce-40ee40 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 180->183 193 40ee59-40ee7d call 40247c call 434829 182->193 272 40ee45-40ee48 183->272 211 40ee8c 193->211 212 40ee7f-40ee8a call 436f10 193->212 203->178 217 40ee8e-40ef03 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 call 434832 call 401e65 call 40b9f8 211->217 212->217 217->234 288 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 217->288 286 40f017-40f019 234->286 287 40effc 234->287 272->193 290 40f01b-40f01d 286->290 291 40f01f 286->291 289 40effe-40f015 call 41ce2c CreateThread 287->289 288->234 306 40ef2a 288->306 294 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 289->294 290->289 291->294 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 294->344 345 40f13c 294->345 306->92 346 40f13e-40f156 call 401e65 call 401fab 344->346 345->346 356 40f194-40f1a7 call 401e65 call 401fab 346->356 357 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 346->357 367 40f207-40f21a call 401e65 call 401fab 356->367 368 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 356->368 357->356 379 40f255-40f279 call 41b69e call 401f13 call 401f09 367->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 367->380 368->367 400 40f27b 379->400 401 40f27e-40f291 CreateThread 379->401 380->379 400->401 404 40f293-40f29d CreateThread 401->404 405 40f29f-40f2a6 401->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f322 call 401fab call 41353a 413->416 415->418 416->156 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 416->427 418->416 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                  APIs
                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\YESOHDKMIm.exe,00000104), ref: 0040EA29
                                    • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                  • String ID: (TG$0i$Access Level: $Administrator$C:\Users\user\Desktop\YESOHDKMIm.exe$Exe$Exe$HSG$HSG$Inj$Remcos Agent initialized$Rmc-T59BEJ$Software\$User$`SG$del$del$exepath$licence$license_code.txt$tMG
                                  • API String ID: 2830904901-787544969
                                  • Opcode ID: fe73f33815753c256be49bd847e158221de9af1ec40d88e440edbb2292e98ad9
                                  • Instruction ID: 744eeac4272eceb7f63ef51a6efbfa797c3f505d1bd04c543663c5f487e0f2b9
                                  • Opcode Fuzzy Hash: fe73f33815753c256be49bd847e158221de9af1ec40d88e440edbb2292e98ad9
                                  • Instruction Fuzzy Hash: 7D32D860B043416BDA14B7729C57B6E26994F80748F40483FB9467F2E3EEBD8D45839E
                                  Function 00407CD2 Relevance: 42.8, APIs: 10, Strings: 14, Instructions: 835filesleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 448 407cd2-407d52 call 4020f6 SetEvent call 401fab call 4041a2 call 4020f6 * 2 call 41beac 461 408495-40849b 448->461 462 407d58 448->462 463 4084a1-4084a4 461->463 464 40879d-408808 call 401e65 call 401fab call 40417e call 401e65 call 401fab call 409196 call 401f04 CreateDirectoryW call 401f09 call 40324f call 409097 461->464 465 408392-408425 call 401e65 call 401fab call 40417e call 401e65 call 401fab call 40417e call 409063 call 409049 call 40921c call 401f04 * 2 call 43f977 call 401f09 462->465 466 407d5e-407d61 462->466 468 408762-408798 call 401e65 call 401fab StrToIntA call 401e65 call 401fab call 41ca73 463->468 469 4084aa-4084ad 463->469 714 40880d-408812 call 407877 464->714 784 408445-408479 call 40531e call 406383 call 404aa1 call 401fd8 465->784 785 408427-408443 call 409196 call 407877 465->785 471 407d67-407d6a 466->471 472 40834c-40838d call 401e65 call 401fab call 40417e call 401e65 * 2 call 41b0d8 466->472 500 40881e-408844 call 401e8d call 401fd8 * 2 468->500 474 4084b3-4084b6 469->474 475 4086bd-408728 call 401e65 call 4020f6 call 40417e call 401e65 call 401fab call 40417e call 401e65 call 41be7d call 408847 469->475 478 407d70-407d73 471->478 479 4082a9-40833e GetLogicalDriveStringsA call 4020b7 call 406bb7 call 401f9d call 4020f6 call 407ae8 call 402f31 call 402ea1 call 404aa1 call 401fd8 * 2 471->479 472->500 483 4086b1-4086b8 474->483 484 4084bc-4084bf 474->484 475->500 726 40872e-40874e Sleep call 401e65 call 4020f6 475->726 487 407d79-407d7c 478->487 488 40821a-4082a4 call 401e65 call 401fab call 409092 call 409097 call 407877 call 40247c call 409049 call 41bd4f call 4052fd call 402093 call 41b580 call 401fd8 478->488 747 408342-408347 call 401fd8 479->747 483->500 493 408565-408585 call 401e65 call 4020f6 call 407c2f 484->493 494 4084c5-4084c8 484->494 497 4081a1-408215 call 401e65 call 401fab call 40417e call 401f04 ShellExecuteW call 41bd4f call 4052fd call 402093 call 41b580 call 401fd8 487->497 498 407d82-407d85 487->498 762 408819 call 401f09 488->762 493->500 596 40858b-4085e0 call 436f10 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c 493->596 509 4084ca-4084cd 494->509 510 40851e-40853e call 401e65 call 4020f6 call 407c2f 494->510 753 408815 497->753 513 408137-40819c call 401e65 call 4020f6 call 40417e call 401e65 call 401fab call 40417e call 401e65 call 41be7d call 408ac0 498->513 514 407d8b-407d8e 498->514 509->500 521 4084d3-408519 call 401e65 call 401fab call 43bb2c call 401e65 call 401fab SetFileAttributesW call 41be87 509->521 510->500 618 408544-408560 call 401e65 call 401fab 510->618 513->500 522 407ee0-408032 call 4020df call 4046f7 call 4048c8 call 401e65 * 3 call 402f31 call 402f10 * 3 call 404aa1 call 401fd8 * 3 call 401e65 call 401fab call 40417e call 41bd4f call 4052fd call 402093 call 41b580 call 401fd8 call 401f09 call 401e65 call 401fab call 40417e call 401e65 call 401fab call 43f8c7 call 40799e 514->522 523 407d94-407d97 514->523 703 408753-40875d call 404aa1 521->703 889 408037-408041 522->889 523->500 539 407d9d-407dce call 401e65 call 401fab call 40417e call 401f04 GetFileAttributesW 523->539 666 407dd0-407ddc call 401f04 call 41c322 539->666 667 407dde-407de4 call 401f04 DeleteFileW 539->667 778 4085e6-4085e9 596->778 779 408698 596->779 695 40869b-4086ac call 409097 call 407877 618->695 705 407dea-407df5 666->705 667->705 695->483 703->500 706 407df7-407e1a call 41bd4f call 4052fd 705->706 707 407e1c-407e54 call 41bdaf call 404aa1 call 41bd4f call 4052fd 705->707 765 407e59-407e88 call 402093 call 41b580 call 401fd8 call 401e65 call 405b05 706->765 707->765 714->753 726->703 747->500 753->762 762->500 765->753 841 407e8e-407edb call 409063 call 40907f call 402f72 call 401f13 call 401f09 call 401f04 call 40417e 765->841 786 408635-408672 call 402093 call 4020f6 call 40417e call 41bcef 778->786 787 4085eb-4085ee 778->787 779->695 818 40847e-408490 call 401f09 * 2 784->818 785->818 840 408674-408693 call 408ac0 call 401fd8 DeleteFileA 786->840 787->500 794 4085f4-408633 call 402093 call 4020f6 call 40417e call 41bcef 787->794 794->840 818->753 840->500 841->714 890 408043-4080b8 call 401e65 call 401fab call 40417e call 41bd4f call 4052fd call 402093 call 41b580 call 401fd8 call 401f09 call 402093 call 404aa1 889->890 891 4080ba-408111 call 401e65 call 401fab call 40417e call 41bd4f call 4052fd call 402093 call 41b580 call 401fd8 call 401f09 889->891 926 408116-408132 call 404e26 call 404ee2 890->926 891->926 926->747
                                  APIs
                                  • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                  • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                  • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                    • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EF0,?), ref: 0041C37D
                                    • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EF0,?), ref: 0041C3AD
                                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EF0,?), ref: 0041C402
                                    • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EF0,?), ref: 0041C463
                                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EF0,?), ref: 0041C46A
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                    • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B60,00474EF0,00000000), ref: 00404B47
                                    • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B60,00474EF0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                  • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                  • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                  • DeleteFileA.KERNEL32(?), ref: 0040868D
                                    • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                    • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                    • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                    • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                  • Sleep.KERNEL32(000007D0), ref: 00408733
                                  • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                    • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                  • String ID: 8PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$hPG$hPG$hPG$hPG$open
                                  • API String ID: 1067849700-718893278
                                  • Opcode ID: 2f1a24682cbe2fe852b65fe520779526e5cb4ff0ff98556eb060548ce2efbc23
                                  • Instruction ID: d596b55e62c6dc406d7f5c06aadeacefb76b4acf2f669351df47ebe9cc805958
                                  • Opcode Fuzzy Hash: 2f1a24682cbe2fe852b65fe520779526e5cb4ff0ff98556eb060548ce2efbc23
                                  • Instruction Fuzzy Hash: 9F4282716043016BC604FB76C9579AE77A9AF91348F80483FF582671E2EE7C9908C79B
                                  Function 0040CE34 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 203fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • _wcslen.LIBCMT ref: 0040CE42
                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750F4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                  • CopyFileW.KERNEL32(C:\Users\user\Desktop\YESOHDKMIm.exe,00000000,00000000,00000000,00000000,00000000,?,004750F4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                  • _wcslen.LIBCMT ref: 0040CF21
                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                  • CopyFileW.KERNEL32(C:\Users\user\Desktop\YESOHDKMIm.exe,00000000,00000000), ref: 0040CFBF
                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                  • _wcslen.LIBCMT ref: 0040D001
                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750F4,0000000E), ref: 0040D068
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                  • ExitProcess.KERNEL32 ref: 0040D09D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                  • String ID: 0i$6$C:\Users\user\Desktop\YESOHDKMIm.exe$del$open
                                  • API String ID: 1579085052-1987404564
                                  • Opcode ID: 5cfa2bb9419fccedbd82ccfd27a7ac03d9b4ffbfe3094fbb24594e8856455860
                                  • Instruction ID: ff97e746579a928a3d51456624c9bd3823d06e613cf3e42bd6c526c8f9e3827f
                                  • Opcode Fuzzy Hash: 5cfa2bb9419fccedbd82ccfd27a7ac03d9b4ffbfe3094fbb24594e8856455860
                                  • Instruction Fuzzy Hash: 8051C620208302ABD615B7769C92A6F67999F84719F10443FF609BA1E3EF7C9C05866E
                                  Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1035 40da6f-40da94 call 401f86 1038 40da9a 1035->1038 1039 40dbbe-40dbe4 call 401f04 GetLongPathNameW call 40417e 1035->1039 1040 40dae0-40dae7 call 41c048 1038->1040 1041 40daa1-40daa6 1038->1041 1042 40db93-40db98 1038->1042 1043 40dad6-40dadb 1038->1043 1044 40dba9 1038->1044 1045 40db9a-40dba7 call 43c11f 1038->1045 1046 40daab-40dab9 call 41b645 call 401f13 1038->1046 1047 40dacc-40dad1 1038->1047 1048 40db8c-40db91 1038->1048 1060 40dbe9-40dc56 call 40417e call 40de0c call 402fa5 * 2 call 401f09 * 5 1039->1060 1061 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1040->1061 1062 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1040->1062 1050 40dbae call 43c11f 1041->1050 1042->1050 1043->1050 1044->1050 1045->1044 1063 40dbb4-40dbb9 call 409092 1045->1063 1069 40dabe 1046->1069 1047->1050 1048->1050 1064 40dbb3 1050->1064 1074 40dac2-40dac7 call 401f09 1061->1074 1062->1069 1063->1039 1064->1063 1069->1074 1074->1039
                                  APIs
                                  • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LongNamePath
                                  • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                  • API String ID: 82841172-425784914
                                  • Opcode ID: e90a508e1a457d7f5fc2a2102fccd42b178b01a1a2d424220c9b7a47bb93cca0
                                  • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                  • Opcode Fuzzy Hash: e90a508e1a457d7f5fc2a2102fccd42b178b01a1a2d424220c9b7a47bb93cca0
                                  • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                  Function 0216003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1117 216003c-2160047 1118 216004c-2160263 call 2160a3f call 2160e0f call 2160d90 VirtualAlloc 1117->1118 1119 2160049 1117->1119 1134 2160265-2160289 call 2160a69 1118->1134 1135 216028b-2160292 1118->1135 1119->1118 1140 21602ce-21603c2 VirtualProtect call 2160cce call 2160ce7 1134->1140 1137 21602a1-21602b0 1135->1137 1139 21602b2-21602cc 1137->1139 1137->1140 1139->1137 1146 21603d1-21603e0 1140->1146 1147 21603e2-2160437 call 2160ce7 1146->1147 1148 2160439-21604b8 VirtualFree 1146->1148 1147->1146 1150 21605f4-21605fe 1148->1150 1151 21604be-21604cd 1148->1151 1154 2160604-216060d 1150->1154 1155 216077f-2160789 1150->1155 1153 21604d3-21604dd 1151->1153 1153->1150 1159 21604e3-2160505 LoadLibraryA 1153->1159 1154->1155 1160 2160613-2160637 1154->1160 1157 21607a6-21607b0 1155->1157 1158 216078b-21607a3 1155->1158 1161 21607b6-21607cb 1157->1161 1162 216086e-21608be LoadLibraryA 1157->1162 1158->1157 1163 2160517-2160520 1159->1163 1164 2160507-2160515 1159->1164 1165 216063e-2160648 1160->1165 1166 21607d2-21607d5 1161->1166 1169 21608c7-21608f9 1162->1169 1167 2160526-2160547 1163->1167 1164->1167 1165->1155 1168 216064e-216065a 1165->1168 1170 21607d7-21607e0 1166->1170 1171 2160824-2160833 1166->1171 1172 216054d-2160550 1167->1172 1168->1155 1173 2160660-216066a 1168->1173 1174 2160902-216091d 1169->1174 1175 21608fb-2160901 1169->1175 1176 21607e4-2160822 1170->1176 1177 21607e2 1170->1177 1181 2160839-216083c 1171->1181 1178 2160556-216056b 1172->1178 1179 21605e0-21605ef 1172->1179 1180 216067a-2160689 1173->1180 1175->1174 1176->1166 1177->1171 1182 216056f-216057a 1178->1182 1183 216056d 1178->1183 1179->1153 1184 2160750-216077a 1180->1184 1185 216068f-21606b2 1180->1185 1181->1162 1186 216083e-2160847 1181->1186 1188 216057c-2160599 1182->1188 1189 216059b-21605bb 1182->1189 1183->1179 1184->1165 1190 21606b4-21606ed 1185->1190 1191 21606ef-21606fc 1185->1191 1192 216084b-216086c 1186->1192 1193 2160849 1186->1193 1200 21605bd-21605db 1188->1200 1189->1200 1190->1191 1194 21606fe-2160748 1191->1194 1195 216074b 1191->1195 1192->1181 1193->1162 1194->1195 1195->1180 1200->1172
                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0216024D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID: cess$kernel32.dll
                                  • API String ID: 4275171209-1230238691
                                  • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                  • Instruction ID: b5ed4fde32294e7aa38a0e3cc414e3c7c438f795dd78e2fb808d139c398ac453
                                  • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                  • Instruction Fuzzy Hash: 82526974A41229DFDB64CF58C984BACBBB1BF09304F1580E9E94DAB351DB30AA95CF14
                                  Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1201 41b354-41b3ab call 41c048 call 4135e1 call 401fe2 call 401fd8 call 406b1c 1212 41b3ad-41b3bc call 4135e1 1201->1212 1213 41b3ee-41b3f7 1201->1213 1218 41b3c1-41b3d8 call 401fab StrToIntA 1212->1218 1214 41b400 1213->1214 1215 41b3f9-41b3fe 1213->1215 1217 41b405-41b410 call 40537d 1214->1217 1215->1217 1223 41b3e6-41b3e9 call 401fd8 1218->1223 1224 41b3da-41b3e3 call 41cffa 1218->1224 1223->1213 1224->1223
                                  APIs
                                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                    • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                    • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                    • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                    • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                  • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750F4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CloseCurrentOpenQueryValueWow64
                                  • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                  • API String ID: 782494840-2070987746
                                  • Opcode ID: af5a1c10c4e4d4d1bcff49d9d0ea1b51456780ad904b9fb85b61f30d16b2fa3b
                                  • Instruction ID: 99e2d84e4b8fa31c947f893a9fcbf762d6d1118dcb79bce5eaccee633664c5dc
                                  • Opcode Fuzzy Hash: af5a1c10c4e4d4d1bcff49d9d0ea1b51456780ad904b9fb85b61f30d16b2fa3b
                                  • Instruction Fuzzy Hash: 0311C47064414926C700F7659C97BFF76198B80304F94453BF806A71D3FB6C598683EE
                                  Function 0041384F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1228 41384f-413862 RegCreateKeyW 1229 4138a1 1228->1229 1230 413864-41389f call 40247c call 401f04 RegSetValueExW RegCloseKey 1228->1230 1231 4138a3-4138b1 call 401f09 1229->1231 1230->1231
                                  APIs
                                  • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041385A
                                  • RegSetValueExW.KERNEL32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,0i,76F937E0,?), ref: 00413888
                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,0i,76F937E0,?,?,?,?,?,0040CFE5,?,00000000), ref: 00413893
                                  Strings
                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413858
                                  • 0i, xrefs: 0041384F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateValue
                                  • String ID: 0i$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                  • API String ID: 1818849710-3401253657
                                  • Opcode ID: 4130c156bc7d53422bd274e0503f6f5712380358a0a777b589ce21756e596352
                                  • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                  • Opcode Fuzzy Hash: 4130c156bc7d53422bd274e0503f6f5712380358a0a777b589ce21756e596352
                                  • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                  Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1238 40d0a4-40d0d0 call 401fab CreateMutexA GetLastError
                                  APIs
                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                  • GetLastError.KERNEL32 ref: 0040D0BE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateErrorLastMutex
                                  • String ID: Rmc-T59BEJ
                                  • API String ID: 1925916568-414001064
                                  • Opcode ID: aba24bfd7e8b808837b934fb3074bb655e41bd047bfda9aafcf34366fa62f390
                                  • Instruction ID: 897831e38bae895769414ba5eaefcaa992d87aaaa8244aa01aad5f1db7de32a1
                                  • Opcode Fuzzy Hash: aba24bfd7e8b808837b934fb3074bb655e41bd047bfda9aafcf34366fa62f390
                                  • Instruction Fuzzy Hash: 62D012B0614301EBDB0467709C5975936559B44702F50487AB50BD95F1CBFC88D08519
                                  Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1241 4135e1-41360d RegOpenKeyExA 1242 413642 1241->1242 1243 41360f-413637 RegQueryValueExA RegCloseKey 1241->1243 1244 413644 1242->1244 1243->1244 1245 413639-413640 1243->1245 1246 413649-413655 call 402093 1244->1246 1245->1246
                                  APIs
                                  • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                  • RegCloseKey.KERNEL32(?), ref: 0041362D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 3677997916-0
                                  • Opcode ID: 859e64f62c27df18338a46db6ec3b0787647947da56704c1ae6da14bd80b9033
                                  • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                  • Opcode Fuzzy Hash: 859e64f62c27df18338a46db6ec3b0787647947da56704c1ae6da14bd80b9033
                                  • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                  Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1249 413584-4135ac RegOpenKeyExA 1250 4135db 1249->1250 1251 4135ae-4135d9 RegQueryValueExA RegCloseKey 1249->1251 1252 4135dd-4135e0 1250->1252 1251->1252
                                  APIs
                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 004135A4
                                  • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004135C2
                                  • RegCloseKey.ADVAPI32(00000000), ref: 004135CD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 3677997916-0
                                  • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                  • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                  • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                  • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                  Function 021107A6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1281 21107a6-21107bf 1282 21107c1-21107c3 1281->1282 1283 21107c5 1282->1283 1284 21107ca-21107d6 CreateToolhelp32Snapshot 1282->1284 1283->1284 1285 21107e6-21107f3 Module32First 1284->1285 1286 21107d8-21107de 1284->1286 1287 21107f5-21107f6 call 2110465 1285->1287 1288 21107fc-2110804 1285->1288 1286->1285 1291 21107e0-21107e4 1286->1291 1292 21107fb 1287->1292 1291->1282 1291->1285 1292->1288
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 021107CE
                                  • Module32First.KERNEL32(00000000,00000224), ref: 021107EE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496727546.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2110000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFirstModule32SnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 3833638111-0
                                  • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                  • Instruction ID: fb6e6621e7691aceecab845dd10d5a0b2510000385aebbacfc3d3673fe3c0aae
                                  • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                  • Instruction Fuzzy Hash: 0FF096319417156FD7203BF5AD8DB6F76E8AF4D665F100538EA83914C0DB70E8854E61
                                  Function 02160E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1294 2160e0f-2160e24 SetErrorMode * 2 1295 2160e26 1294->1295 1296 2160e2b-2160e2c 1294->1296 1295->1296
                                  APIs
                                  • SetErrorMode.KERNEL32(00000400,?,?,02160223,?,?), ref: 02160E19
                                  • SetErrorMode.KERNEL32(00000000,?,?,02160223,?,?), ref: 02160E1E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                  • Instruction ID: e9c0ddff7ad8c06008852dff5cd4673f15b5d7d0f17db3ceebe3952d7cf3b5ad
                                  • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                  • Instruction Fuzzy Hash: 53D0123154512877D7002AD4DC0DBDD7B1CDF09B66F108011FB0DD9080C770954046E5
                                  Function 02110465 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1297 2110465-211049f call 2110778 1300 21104a1-21104d4 VirtualAlloc call 21104f2 1297->1300 1301 21104ed 1297->1301 1303 21104d9-21104eb 1300->1303 1301->1301 1303->1301
                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 021104B6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496727546.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2110000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                  • Instruction ID: e9788a5bb739dd82b4758bcc5a4a61853aeafe3dfc5b9fe05f2aaa6c7d18acf9
                                  • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                  • Instruction Fuzzy Hash: 8B113C79A40208EFDB01DF98C985E98BBF5AF08350F0580A4F9489B361D375EA90DF80

                                  Non-executed Functions

                                  Function 0040569A Relevance: 47.5, APIs: 15, Strings: 12, Instructions: 278pipesleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __Init_thread_footer.LIBCMT ref: 004056E6
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  • __Init_thread_footer.LIBCMT ref: 00405723
                                  • CreatePipe.KERNEL32(00476CDC,00476CC4,00476BE8,00000000,004660CC,00000000), ref: 004057B6
                                  • CreatePipe.KERNEL32(00476CC8,00476CE4,00476BE8,00000000), ref: 004057CC
                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BF8,00476CCC), ref: 0040583F
                                  • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474FA0,004660D0,00000062,004660B4), ref: 004059E4
                                  • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                  • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                  • CloseHandle.KERNEL32 ref: 00405A23
                                  • CloseHandle.KERNEL32 ref: 00405A2B
                                  • CloseHandle.KERNEL32 ref: 00405A3D
                                  • CloseHandle.KERNEL32 ref: 00405A45
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                  • String ID: @lG$@lG$@lG$@lG$@lG$SystemDrive$cmd.exe$kG$lG$lG$lG$lG
                                  • API String ID: 2994406822-3565532687
                                  • Opcode ID: 134deb1b74f7a267023d5b3d6be2b85919463e512a8c115b3230a96783d88e77
                                  • Instruction ID: efba9956b6c01968ba48be3e84054341744464a70a9fb060b5e58b4ef4e39929
                                  • Opcode Fuzzy Hash: 134deb1b74f7a267023d5b3d6be2b85919463e512a8c115b3230a96783d88e77
                                  • Instruction Fuzzy Hash: ED91B271600604AFD711FB35AD41A6B3AAAEB84344F01443FF549A72E2DB7D9C488F6D
                                  Function 00412132 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcessId.KERNEL32 ref: 00412141
                                    • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                    • Part of subcall function 004138B2: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                    • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                  • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                  • CloseHandle.KERNEL32(00000000), ref: 00412190
                                  • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                  • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                  • String ID: (TG$0i$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                  • API String ID: 3018269243-1550329398
                                  • Opcode ID: 0681a282f3fa962c208f10ebf0c30c3e0782ef0728e5d59db89042b67bac8110
                                  • Instruction ID: 26abbb7e12f392f9fbc718c06b30ae47eaa1113e002934215aad22704783e961
                                  • Opcode Fuzzy Hash: 0681a282f3fa962c208f10ebf0c30c3e0782ef0728e5d59db89042b67bac8110
                                  • Instruction Fuzzy Hash: 3C71A23160420167C604FB72CD579AE77A4AE94308F40097FF586A61E2FFBC9945C69E
                                  Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                  • FindClose.KERNEL32(00000000), ref: 0040BC04
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                  • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$CloseFile$FirstNext
                                  • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                  • API String ID: 1164774033-3681987949
                                  • Opcode ID: b41a8e288d6c781c84b11b836a0024b7a118f79960b3641b573c725179fdc384
                                  • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                  • Opcode Fuzzy Hash: b41a8e288d6c781c84b11b836a0024b7a118f79960b3641b573c725179fdc384
                                  • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                  Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenClipboard.USER32 ref: 004168FD
                                  • EmptyClipboard.USER32 ref: 0041690B
                                  • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                  • GlobalLock.KERNEL32(00000000), ref: 00416934
                                  • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                  • CloseClipboard.USER32 ref: 00416990
                                  • OpenClipboard.USER32 ref: 00416997
                                  • GetClipboardData.USER32(0000000D), ref: 004169A7
                                  • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                  • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                  • CloseClipboard.USER32 ref: 004169BF
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                  • String ID: !D@
                                  • API String ID: 3520204547-604454484
                                  • Opcode ID: f98e19e59eea15a91d3b71fa0c0f5b928df445f0179be6eeee7715d264c86d8b
                                  • Instruction ID: 40a69bedac3bd734cdfdd6227e623399476ab8ebe6f0a7c245c4ec6d1d06efb6
                                  • Opcode Fuzzy Hash: f98e19e59eea15a91d3b71fa0c0f5b928df445f0179be6eeee7715d264c86d8b
                                  • Instruction Fuzzy Hash: 16215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                  Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windownativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtdllDefWindowProc_A.USER32(?,00000401,?,?), ref: 0041D66B
                                  • GetCursorPos.USER32(?), ref: 0041D67A
                                  • SetForegroundWindow.USER32(?), ref: 0041D683
                                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                  • Shell_NotifyIcon.SHELL32(00000002,00474B58), ref: 0041D6EE
                                  • ExitProcess.KERNEL32 ref: 0041D6F6
                                  • CreatePopupMenu.USER32 ref: 0041D6FC
                                  • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyNtdllProc_ProcessShell_Track
                                  • String ID: Close
                                  • API String ID: 1665278180-3535843008
                                  • Opcode ID: 73816c5193d16127c0aec765399ca9dfe531eb1d692a29e38a1feb3416d684dd
                                  • Instruction ID: b66198a42bffced696eb94d9f3abdc54ecf3157c52e3fd06dc0985426ba48be4
                                  • Opcode Fuzzy Hash: 73816c5193d16127c0aec765399ca9dfe531eb1d692a29e38a1feb3416d684dd
                                  • Instruction Fuzzy Hash: 51216BB1500208FFDF054FA4ED0EAAA7B35EB08302F000125FA19950B2D779EDA1EB18
                                  Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                  • FindClose.KERNEL32(00000000), ref: 0040BE04
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                  • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                  • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$Close$File$FirstNext
                                  • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                  • API String ID: 3527384056-432212279
                                  • Opcode ID: 957e4b9f77f0127c971f2cbaa54e22c6f4c97dcdb1298e2b7e9e5f591e6deb8c
                                  • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                  • Opcode Fuzzy Hash: 957e4b9f77f0127c971f2cbaa54e22c6f4c97dcdb1298e2b7e9e5f591e6deb8c
                                  • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                  Function 0040F4AF Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 210processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750F4,?,00475348), ref: 0040F4C9
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475348), ref: 0040F4F4
                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                  • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475348), ref: 0040F59E
                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                  • CloseHandle.KERNEL32(00000000,?,00475348), ref: 0040F6A9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                  • String ID: 0i$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                  • API String ID: 3756808967-2592950698
                                  • Opcode ID: 3acc3f55b6397cee36b7d5ef666cd78527c930f9b8fa3a8dd2be36fd150b4bf2
                                  • Instruction ID: f7ffc7f0dfbd756cb6275d6ec2ba0be94116b78c8c9f611e281f0170cc986b4a
                                  • Opcode Fuzzy Hash: 3acc3f55b6397cee36b7d5ef666cd78527c930f9b8fa3a8dd2be36fd150b4bf2
                                  • Instruction Fuzzy Hash: 4C7130705083419AC724FB21D8559AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                  Function 0041330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                  • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                  • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                  • CloseHandle.KERNEL32(?), ref: 004134A0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                  • String ID:
                                  • API String ID: 297527592-0
                                  • Opcode ID: c7440ca18a81b1cb078e1e05a75070588a5c97419a1628ae9022092e856eb863
                                  • Instruction ID: cfdeae1586e3f17d3ae994cf28232467201964e06db1490d1c70a6fe2d897c90
                                  • Opcode Fuzzy Hash: c7440ca18a81b1cb078e1e05a75070588a5c97419a1628ae9022092e856eb863
                                  • Instruction Fuzzy Hash: A841F371104301BBD7109F26EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                  Function 0217D887 Relevance: 18.1, APIs: 12, Instructions: 74windownativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtdllDefWindowProc_A.NTDLL(?,00000401,?,?), ref: 0217D8D2
                                  • GetCursorPos.USER32(?), ref: 0217D8E1
                                  • SetForegroundWindow.USER32(?), ref: 0217D8EA
                                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0217D904
                                  • Shell_NotifyIcon.SHELL32(00000002,00474B58), ref: 0217D955
                                  • ExitProcess.KERNEL32 ref: 0217D95D
                                  • CreatePopupMenu.USER32 ref: 0217D963
                                  • AppendMenuA.USER32(00000000,00000000,00000000,0046CF5C), ref: 0217D978
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyNtdllProc_ProcessShell_Track
                                  • String ID:
                                  • API String ID: 1665278180-0
                                  • Opcode ID: 73816c5193d16127c0aec765399ca9dfe531eb1d692a29e38a1feb3416d684dd
                                  • Instruction ID: f773906dcec60429bfa707fd064cfbb9e154437cd1fb23014b310be3babc6742
                                  • Opcode Fuzzy Hash: 73816c5193d16127c0aec765399ca9dfe531eb1d692a29e38a1feb3416d684dd
                                  • Instruction Fuzzy Hash: 4421F471184209FFDB095FA4ED0EAAA7B75EB48702F010138FA1AA50B6D771ED60DB58
                                  Function 00419662 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 206COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0$1$2$3$4$5$6$7
                                  • API String ID: 0-3177665633
                                  • Opcode ID: 8290dbae049be2cdd206d8bf1c1fda6425e159576a2ff2ba4f12e613f6a6ac2b
                                  • Instruction ID: 3c74f5afe55031bef20d6cb4aa2bc38f0c43463ce83be6e36937eb537edf8bdf
                                  • Opcode Fuzzy Hash: 8290dbae049be2cdd206d8bf1c1fda6425e159576a2ff2ba4f12e613f6a6ac2b
                                  • Instruction Fuzzy Hash: CB71E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                  Function 0040A41B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112keyboardthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetForegroundWindow.USER32 ref: 0040A451
                                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                  • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                  • GetKeyState.USER32(00000010), ref: 0040A46E
                                  • GetKeyboardState.USER32(?), ref: 0040A479
                                  • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                  • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                  • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                  • String ID: (kG
                                  • API String ID: 1888522110-2813241365
                                  • Opcode ID: 31ed79bda99ad10420f5864c73503205d5e880a6a674e4152aa1d5376154a4ca
                                  • Instruction ID: 3b9a32d10988b9101c987d3e8fcb44953e801c6634267c48ca941b3c69dca571
                                  • Opcode Fuzzy Hash: 31ed79bda99ad10420f5864c73503205d5e880a6a674e4152aa1d5376154a4ca
                                  • Instruction Fuzzy Hash: F8316D72504308BFD700DFA0DC45F9B7BECAB88754F00083AB645D61A0D7B5E948CBA6
                                  Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 0040755C
                                  • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Object_wcslen
                                  • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                  • API String ID: 240030777-3166923314
                                  • Opcode ID: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                  • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                  • Opcode Fuzzy Hash: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                  • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                  Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758F8), ref: 0041A7EF
                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                  • GetLastError.KERNEL32 ref: 0041A84C
                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                  • String ID:
                                  • API String ID: 3587775597-0
                                  • Opcode ID: aecc12442f64b9e09ef74b3bccd7e85a6c3dbefbe2b12bf3fa7639563103188e
                                  • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                  • Opcode Fuzzy Hash: aecc12442f64b9e09ef74b3bccd7e85a6c3dbefbe2b12bf3fa7639563103188e
                                  • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                  Function 0217AA40 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758F8), ref: 0217AA56
                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0217AAA5
                                  • GetLastError.KERNEL32 ref: 0217AAB3
                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0217AAEB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                  • String ID:
                                  • API String ID: 3587775597-0
                                  • Opcode ID: aecc12442f64b9e09ef74b3bccd7e85a6c3dbefbe2b12bf3fa7639563103188e
                                  • Instruction ID: f0c36d00d9539ca69a76c65a31e9f6703e1cbb6bded44b87d526574f58a0d186
                                  • Opcode Fuzzy Hash: aecc12442f64b9e09ef74b3bccd7e85a6c3dbefbe2b12bf3fa7639563103188e
                                  • Instruction Fuzzy Hash: F8813C71148304AFC715EB20D898EBFB7A9BF94754F50082EF59642190EF74EA18CFA2
                                  Function 02173574 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 021736B9
                                  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 021736C7
                                  • GetFileSize.KERNEL32(?,00000000), ref: 021736D4
                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 021736F4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$View$CreateMappingSizeUnmap
                                  • String ID:
                                  • API String ID: 2708475042-0
                                  • Opcode ID: c7440ca18a81b1cb078e1e05a75070588a5c97419a1628ae9022092e856eb863
                                  • Instruction ID: f21851b785af09db420745fd9691726cec64b47538f7561764421151141b03cc
                                  • Opcode Fuzzy Hash: c7440ca18a81b1cb078e1e05a75070588a5c97419a1628ae9022092e856eb863
                                  • Instruction Fuzzy Hash: C941E2B2188301BFDB109B25DC49F6B7BBDEFC9724F100929F569D11A1DB30DA00DAA5
                                  Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474F08,?,0043CE65,FF8BC35D,00474F08,00474F08), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 00448301
                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                  • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                  • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                  • String ID: JD$JD$JD
                                  • API String ID: 745075371-3517165026
                                  • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                  • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                  • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                  • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                  Function 0041A045 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0041A04A
                                  • 73C05D90.GDIPLUS(00474AE0,?,00000000), ref: 0041A07C
                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                  • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                  • GetLocalTime.KERNEL32(?), ref: 0041A196
                                  • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep$CreateDirectoryH_prologLocalTime
                                  • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                  • API String ID: 3069631530-3790400642
                                  • Opcode ID: e99a5e627d12bfd47b36509d996db8dd502748e117ad26dbf2c4dfebc8144f37
                                  • Instruction ID: ac563f1b8c988fbcbdb25ffa0f060f034023d1de15a29d9718e9897573209577
                                  • Opcode Fuzzy Hash: e99a5e627d12bfd47b36509d996db8dd502748e117ad26dbf2c4dfebc8144f37
                                  • Instruction Fuzzy Hash: 3F518E70A00215AACB14BBB5C8529FD77A9AF54308F40403FF509AB1E2EF7C4D85C799
                                  Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                  • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                  • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$CloseFile$FirstNext
                                  • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                  • API String ID: 1164774033-405221262
                                  • Opcode ID: 5569ca3f5fbe7e4717efef4f34d69c98aa921a880cb4824fcc99a8611b97b131
                                  • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                  • Opcode Fuzzy Hash: 5569ca3f5fbe7e4717efef4f34d69c98aa921a880cb4824fcc99a8611b97b131
                                  • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                  Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EF0,?), ref: 0041C37D
                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EF0,?), ref: 0041C3AD
                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EF0,?), ref: 0041C41F
                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EF0,?), ref: 0041C42C
                                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EF0,?), ref: 0041C402
                                  • GetLastError.KERNEL32(?,?,?,?,?,00474EF0,?), ref: 0041C44D
                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EF0,?), ref: 0041C463
                                  • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EF0,?), ref: 0041C46A
                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EF0,?), ref: 0041C473
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                  • String ID:
                                  • API String ID: 2341273852-0
                                  • Opcode ID: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                                  • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                  • Opcode Fuzzy Hash: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                                  • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                  Function 0217C589 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0217C5E4
                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 0217C614
                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000000), ref: 0217C686
                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0217C693
                                    • Part of subcall function 0217C589: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0217C669
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 0217C6B4
                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0217C6CA
                                  • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0217C6D1
                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0217C6DA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                  • String ID:
                                  • API String ID: 2341273852-0
                                  • Opcode ID: 3ce5481c26192bdbfdec80ea01d0d7f8eca5c7462b2347321480bf835a106a91
                                  • Instruction ID: 39e0e55f3c62b217480ae4317cf5dcf59ae92906273c25b8dfe30cbaca526d7b
                                  • Opcode Fuzzy Hash: 3ce5481c26192bdbfdec80ea01d0d7f8eca5c7462b2347321480bf835a106a91
                                  • Instruction Fuzzy Hash: F5313072880218AADB20EB60DC88EDB77BDAB44315F1405A7F555D2161EB35DAC48EA4
                                  Function 02168AAE Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 186fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 02168AB3
                                  • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02168B6C
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 02168B94
                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02168BA1
                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02168CB7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                  • String ID: xdF$y~E
                                  • API String ID: 1771804793-3309775686
                                  • Opcode ID: 6daaeeb5182955789cbb0b1f351cb088d7054b4b8db87a462276e125d99b3449
                                  • Instruction ID: 387b71255a2cb97c136c0170a4e743317a1a21dd28039e7521227572bce46ea2
                                  • Opcode Fuzzy Hash: 6daaeeb5182955789cbb0b1f351cb088d7054b4b8db87a462276e125d99b3449
                                  • Instruction Fuzzy Hash: F2519E72981208AFCF14FBA4DD999FE777AAF51300F500169AD06A3090EF349B69CF91
                                  Function 02176A5B Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 96libraryloadershutdownCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ExitWindowsEx.USER32(00000000,00000001), ref: 02176AF8
                                  • LoadLibraryA.KERNEL32(0046C780,0046C770,00000000,00000000,00000000), ref: 02176B0D
                                  • GetProcAddress.KERNEL32(00000000), ref: 02176B14
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressExitLibraryLoadProcWindows
                                  • String ID: !D@$$aF$(aF$,aF
                                  • API String ID: 1366546845-3582022958
                                  • Opcode ID: 75a5f7744587ae04ae432d9f49b3193e247e450872959b9b9f64d20b602a3b7a
                                  • Instruction ID: fb63801d15822a76adc67e5b9d406451cd9e0e3782c0e0553d25072d1bbad7c7
                                  • Opcode Fuzzy Hash: 75a5f7744587ae04ae432d9f49b3193e247e450872959b9b9f64d20b602a3b7a
                                  • Instruction Fuzzy Hash: 0B2171A07C4342AECE14F7B0989CABE725B9F91304F445C29A902571C5EF768C59CA26
                                  Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                  • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                  • GetLastError.KERNEL32 ref: 0040A328
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                  • TranslateMessage.USER32(?), ref: 0040A385
                                  • DispatchMessageA.USER32(?), ref: 0040A390
                                  Strings
                                  • Keylogger initialization failure: error , xrefs: 0040A33C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                  • String ID: Keylogger initialization failure: error
                                  • API String ID: 3219506041-952744263
                                  • Opcode ID: cf8a00a9b01a8f106307687f5431c332e717f603719e73fdbf60c6d38cfb237a
                                  • Instruction ID: bc7b44719e59224dfa2ccda8cade24f8ec1ba8a069f7aee67aec650331f950b6
                                  • Opcode Fuzzy Hash: cf8a00a9b01a8f106307687f5431c332e717f603719e73fdbf60c6d38cfb237a
                                  • Instruction Fuzzy Hash: 8911C131510301EBC710BB769C0986B77ACEB95715B20097EFC82E22D1FB34C910CBAA
                                  Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                  • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressCloseCreateLibraryLoadProcsend
                                  • String ID: SHDeleteKeyW$Shlwapi.dll
                                  • API String ID: 2127411465-314212984
                                  • Opcode ID: f055ea799f88ac1a9188829ac7374e5e5a6c447f9263e09deb5da0b33bdbcfb9
                                  • Instruction ID: cc57822c2a7f940fffebe33daf0632284ddc1748a3b8d5e961f42c670a34d5b4
                                  • Opcode Fuzzy Hash: f055ea799f88ac1a9188829ac7374e5e5a6c447f9263e09deb5da0b33bdbcfb9
                                  • Instruction Fuzzy Hash: D1B1F671A0430066CA14BB76DC579AF36A89F91748F40053FB906671E2EE7D8A48C6DA
                                  Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00449292
                                  • _free.LIBCMT ref: 004492B6
                                  • _free.LIBCMT ref: 0044943D
                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                  • _free.LIBCMT ref: 00449609
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                  • String ID:
                                  • API String ID: 314583886-0
                                  • Opcode ID: 99b9f95825b3d3947f98974b62c5657870841952fc290d3d865075dfb712b2e8
                                  • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                  • Opcode Fuzzy Hash: 99b9f95825b3d3947f98974b62c5657870841952fc290d3d865075dfb712b2e8
                                  • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                  Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                    • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                    • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                    • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                    • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                  • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                  • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                  • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                  • String ID: !D@$PowrProf.dll$SetSuspendState
                                  • API String ID: 1589313981-2876530381
                                  • Opcode ID: ee499d4d47afde6cc3500bc760edfd9f3d73b5503f1d67301f657f5df503f6e6
                                  • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                  • Opcode Fuzzy Hash: ee499d4d47afde6cc3500bc760edfd9f3d73b5503f1d67301f657f5df503f6e6
                                  • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                  Function 0040F7E2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 004135A4
                                    • Part of subcall function 00413584: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004135C2
                                    • Part of subcall function 00413584: RegCloseKey.ADVAPI32(00000000), ref: 004135CD
                                  • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                  • ExitProcess.KERNEL32 ref: 0040F905
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseExitOpenProcessQuerySleepValue
                                  • String ID: 0i$5.2.0 Pro$override$pth_unenc
                                  • API String ID: 2281282204-624219849
                                  • Opcode ID: 86a968b30e680dc65b0683ba5f8466b09d0d72c6331cb672c208b7226cfb4d79
                                  • Instruction ID: 0454f1d730b8de97e77b6af0221289a353f5645d6d0bcfbcd4472c6607f37e61
                                  • Opcode Fuzzy Hash: 86a968b30e680dc65b0683ba5f8466b09d0d72c6331cb672c208b7226cfb4d79
                                  • Instruction Fuzzy Hash: 7421E171B0420127D6087676885B6AE399A9B80708F50453FF409672D6FF7C8E0483AF
                                  Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                  • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                  • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                  • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                  • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                  Strings
                                  • http://geoplugin.net/json.gp, xrefs: 0041B448
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleOpen$FileRead
                                  • String ID: http://geoplugin.net/json.gp
                                  • API String ID: 3121278467-91888290
                                  • Opcode ID: 57dbabaecf7d387fca1fccaaf918aea223ffbee7dad3a19db74472bdfd73447a
                                  • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                  • Opcode Fuzzy Hash: 57dbabaecf7d387fca1fccaaf918aea223ffbee7dad3a19db74472bdfd73447a
                                  • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                  Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                  • GetLastError.KERNEL32 ref: 0040BA93
                                  Strings
                                  • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                  • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                  • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                  • UserProfile, xrefs: 0040BA59
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DeleteErrorFileLast
                                  • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                  • API String ID: 2018770650-1062637481
                                  • Opcode ID: d6312413c91956911aeebdf781d371ca6745e6f6be180b60b08b021ffbe32e09
                                  • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                  • Opcode Fuzzy Hash: d6312413c91956911aeebdf781d371ca6745e6f6be180b60b08b021ffbe32e09
                                  • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                  Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                  • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                  • GetLastError.KERNEL32 ref: 004179D8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                  • String ID: SeShutdownPrivilege
                                  • API String ID: 3534403312-3733053543
                                  • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                  • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                  • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                  • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                  Function 004541D9 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __floor_pentium4
                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                  • API String ID: 4168288129-2761157908
                                  • Opcode ID: ed5127cdc400e90a0cd04182132ef1189bad1dc249964083a3aeb657203f5d4f
                                  • Instruction ID: 22fd31c6184e07a9d3e8c26eafc68e38345e899adb4ac4f90a3aea4af7cb717d
                                  • Opcode Fuzzy Hash: ed5127cdc400e90a0cd04182132ef1189bad1dc249964083a3aeb657203f5d4f
                                  • Instruction Fuzzy Hash: BBC27E71D046288FDB25CE28DD407EAB3B5EB8530AF1541EBD80DE7241E778AE898F45
                                  Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00409293
                                    • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                  • FindClose.KERNEL32(00000000), ref: 004093FC
                                    • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00474F08,?,00000000,00474F08,00404CA8,00000000,00000000,00000000,00000000,00474F08,00404AC9), ref: 00404E38
                                    • Part of subcall function 00404E26: SetEvent.KERNEL32(00000000,?,00000000,00474F08,00404CA8,00000000,00000000,00000000,00000000,00474F08,00404AC9), ref: 00404E43
                                    • Part of subcall function 00404E26: CloseHandle.KERNEL32(00000000,?,00000000,00474F08,00404CA8,00000000,00000000,00000000,00000000,00474F08,00404AC9), ref: 00404E4C
                                  • FindClose.KERNEL32(00000000), ref: 004095F4
                                    • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B60,00474EF0,00000000), ref: 00404B47
                                    • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B60,00474EF0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                  • String ID:
                                  • API String ID: 1824512719-0
                                  • Opcode ID: 3e41b3b17ee7b625e39a35955fea55242fe89250a83e2d42a4dc1e136830e029
                                  • Instruction ID: 7a56ba3823c44b8d3dadbfeca74e3365e00ee059376cf1b582d15bdd70b30780
                                  • Opcode Fuzzy Hash: 3e41b3b17ee7b625e39a35955fea55242fe89250a83e2d42a4dc1e136830e029
                                  • Instruction Fuzzy Hash: 8AB19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                  Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ManagerStart
                                  • String ID:
                                  • API String ID: 276877138-0
                                  • Opcode ID: ef3c0b856a1de7aadcfa328643844e0c859a8d8812f908c01dc675a5c8606680
                                  • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                  • Opcode Fuzzy Hash: ef3c0b856a1de7aadcfa328643844e0c859a8d8812f908c01dc675a5c8606680
                                  • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                  Function 00419B86 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                  • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Find$CreateFirstNext
                                  • String ID: HSG$`XG$`XG
                                  • API String ID: 341183262-3993355375
                                  • Opcode ID: eb44e75cba824970a8d6236793f654e4149cf33d528ce4fb0e0c857079cc2993
                                  • Instruction ID: 3e2b8d556a8fbdbb081ab446324185a4f3aab8361380fbf0113865ad31d0729a
                                  • Opcode Fuzzy Hash: eb44e75cba824970a8d6236793f654e4149cf33d528ce4fb0e0c857079cc2993
                                  • Instruction Fuzzy Hash: 588151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                  Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                  • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID: ACP$OCP
                                  • API String ID: 2299586839-711371036
                                  • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                  • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                  • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                  • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                  Function 021B2723 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,021B2A42,?,00000000), ref: 021B27BC
                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,021B2A42,?,00000000), ref: 021B27E5
                                  • GetACP.KERNEL32(?,?,021B2A42,?,00000000), ref: 021B27FA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID: ACP$OCP
                                  • API String ID: 2299586839-711371036
                                  • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                  • Instruction ID: ff7dad2d8f82bfbc8eaf6d59b2e3cc77b3aa8fc80580118a5729a19adf63e687
                                  • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                  • Instruction Fuzzy Hash: 8621B032A84104ABDB3A8F54C900BDB73B6EF64E65B568574EC0AD7910E732DD88C398
                                  Function 02167ADE Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 02167AF9
                                  • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 02167BC1
                                    • Part of subcall function 02164D08: send.WS2_32(?,00000000,00000000,00000000), ref: 02164D9D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileFind$FirstNextsend
                                  • String ID: 8eF$hPG$hPG
                                  • API String ID: 4113138495-2076665626
                                  • Opcode ID: 79d3a8a708a64aea57361e3084ac94982208e9b0b63170387c171430dbef8cca
                                  • Instruction ID: f39d6fb8c7600404db4c0d72664b85a2f4204761a1ef4b3014395d7f1d2d3dd4
                                  • Opcode Fuzzy Hash: 79d3a8a708a64aea57361e3084ac94982208e9b0b63170387c171430dbef8cca
                                  • Instruction Fuzzy Hash: 1721AE325883419FC724FB60DC98DFFB3AAAF94354F44092DB99652090EF359A2DCE52
                                  Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                  • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                  • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                  • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Resource$FindLoadLockSizeof
                                  • String ID: SETTINGS
                                  • API String ID: 3473537107-594951305
                                  • Opcode ID: 7e39093ddf5dcb720cd3caccf1e1277dc2c4d9143844da5a4d70bf483eb1c798
                                  • Instruction ID: e87eb13c1a863bb520e8110b03cd0e44f0123e9e346c2db4eb51eb31bea7c0b5
                                  • Opcode Fuzzy Hash: 7e39093ddf5dcb720cd3caccf1e1277dc2c4d9143844da5a4d70bf483eb1c798
                                  • Instruction Fuzzy Hash: 23E01276600B21EBDB211FB1AC8CD467F25E7C9B533140075FA0582271CB758840DA58
                                  Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 004096A5
                                  • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstH_prologNext
                                  • String ID:
                                  • API String ID: 1157919129-0
                                  • Opcode ID: f7b9eefe839b2bcd70172dbc221549f90cff3adc7a7dcd26f8bce347a4c33931
                                  • Instruction ID: 095255599cc0af9be2c5710cd9f248f54336688560ad7ccdcde9a73cf5c292f5
                                  • Opcode Fuzzy Hash: f7b9eefe839b2bcd70172dbc221549f90cff3adc7a7dcd26f8bce347a4c33931
                                  • Instruction Fuzzy Hash: CB813C729001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                  Function 02169907 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0216990C
                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 02169984
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 021699AD
                                  • FindClose.KERNEL32(?), ref: 021699C4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstH_prologNext
                                  • String ID:
                                  • API String ID: 1157919129-0
                                  • Opcode ID: f7b9eefe839b2bcd70172dbc221549f90cff3adc7a7dcd26f8bce347a4c33931
                                  • Instruction ID: d8455831efce660d038725e6ea8eb23732ee364e38826aabea19e4e70876dcd5
                                  • Opcode Fuzzy Hash: f7b9eefe839b2bcd70172dbc221549f90cff3adc7a7dcd26f8bce347a4c33931
                                  • Instruction Fuzzy Hash: 79814F328801199FCF15EBA0DC98DFE777AAF54310F14426AD916A70A0EF356B69CF90
                                  Function 021B28F7 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 021A84FC: GetLastError.KERNEL32(?,0219F9D7,0219AADC,0219F9D7,00474F08,?,0219D0CC,FF8BC35D,00474F08,00474F08), ref: 021A8500
                                    • Part of subcall function 021A84FC: _free.LIBCMT ref: 021A8533
                                    • Part of subcall function 021A84FC: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 021A8574
                                    • Part of subcall function 021A84FC: _abort.LIBCMT ref: 021A857A
                                    • Part of subcall function 021A84FC: _free.LIBCMT ref: 021A855B
                                    • Part of subcall function 021A84FC: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 021A8568
                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 021B2A03
                                  • IsValidCodePage.KERNEL32(00000000), ref: 021B2A5E
                                  • IsValidLocale.KERNEL32(?,00000001), ref: 021B2A6D
                                  • GetLocaleInfoW.KERNEL32(?,00001001,021A4D54,00000040,?,021A4E74,00000055,00000000,?,?,00000055,00000000), ref: 021B2AB5
                                  • GetLocaleInfoW.KERNEL32(?,00001002,021A4DD4,00000040), ref: 021B2AD4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                  • String ID:
                                  • API String ID: 745075371-0
                                  • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                  • Instruction ID: 29c2b5995a323ea3b71ff9fed0bd2b5c43d066070b6119e2af8a6af462e4095c
                                  • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                  • Instruction Fuzzy Hash: AB51BF31A80216AFEF22EFA5CC40BFA73B9EF09701F140469ED14EB190E7749948CB61
                                  Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0040884C
                                  • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                  • String ID:
                                  • API String ID: 1771804793-0
                                  • Opcode ID: 23ee2504e33aeb78e6127e011e9d38d7d1f6fb91a84998afc16ba1de22ba214d
                                  • Instruction ID: 967e03bdddb214c30410211942a515ee3c29859e80101891d5c5db132fd2cd64
                                  • Opcode Fuzzy Hash: 23ee2504e33aeb78e6127e011e9d38d7d1f6fb91a84998afc16ba1de22ba214d
                                  • Instruction Fuzzy Hash: 94517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB99
                                  Function 0216C5EF Relevance: 7.6, APIs: 5, Instructions: 112fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?,00466C74,00000000), ref: 0216C63D
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0216C710
                                  • FindClose.KERNEL32(00000000), ref: 0216C71F
                                  • FindClose.KERNEL32(00000000), ref: 0216C74A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$CloseFile$FirstNext
                                  • String ID:
                                  • API String ID: 1164774033-0
                                  • Opcode ID: 50dcfcb7b67de677597e6206382afd1e9d383d20542bf2b2c795573622581393
                                  • Instruction ID: 14fde98244b23f1e90ca0c45ecb3c75f7f0c4b499fc8f70f74b6ee0f644d7e15
                                  • Opcode Fuzzy Hash: 50dcfcb7b67de677597e6206382afd1e9d383d20542bf2b2c795573622581393
                                  • Instruction Fuzzy Hash: 76316031580219AECB14E764EC9DEFE777AAF50700F00006BE405A2090EF749A56CE99
                                  Function 02177BF4 Relevance: 7.5, APIs: 5, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 02177C01
                                  • OpenProcessToken.ADVAPI32(00000000), ref: 02177C08
                                  • LookupPrivilegeValueA.ADVAPI32(00000000,0046C7D8,?), ref: 02177C1A
                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 02177C39
                                  • GetLastError.KERNEL32 ref: 02177C3F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                  • String ID:
                                  • API String ID: 3534403312-0
                                  • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                  • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                  • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                  • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                  Function 00446270 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: FSE$FSE
                                  • API String ID: 0-1826177230
                                  • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                  • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                  • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                  • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                  Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DownloadExecuteFileShell
                                  • String ID: C:\Users\user\Desktop\YESOHDKMIm.exe$open
                                  • API String ID: 2825088817-1802593568
                                  • Opcode ID: 518f63ee9c8a76bee893cd117de7142e82c6612ba843363dd0837947d3a881d4
                                  • Instruction ID: e12f74d6213dd3660153607da8c9b98f7978e2d251169c1aa1e307be856b925d
                                  • Opcode Fuzzy Hash: 518f63ee9c8a76bee893cd117de7142e82c6612ba843363dd0837947d3a881d4
                                  • Instruction Fuzzy Hash: 1461C471A0830166CA14FB76C8569BE37A59F81758F40093FF9427B2D2EE3C9905C79B
                                  Function 0216FA49 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 021737EB: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 0217380B
                                    • Part of subcall function 021737EB: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 02173829
                                    • Part of subcall function 021737EB: RegCloseKey.ADVAPI32(00000000), ref: 02173834
                                  • Sleep.KERNEL32(00000BB8), ref: 0216FAFD
                                  • ExitProcess.KERNEL32 ref: 0216FB6C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseExitOpenProcessQuerySleepValue
                                  • String ID: 0i$pth_unenc
                                  • API String ID: 2281282204-1399409803
                                  • Opcode ID: 1394831049f4826a0a0e3ef1d4c0173abc3fd9689c70638d12e3bfe0285db1cf
                                  • Instruction ID: b930e868eaa03b03fc309f13a7fda24d5cf33518383b16e3e10ad692a5e24991
                                  • Opcode Fuzzy Hash: 1394831049f4826a0a0e3ef1d4c0173abc3fd9689c70638d12e3bfe0285db1cf
                                  • Instruction Fuzzy Hash: F2212B61BC83012FC608B6784C5EA3E366B5BC1710F50451CF81A976C4FF758E118BA7
                                  Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                  • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileFind$FirstNextsend
                                  • String ID: hPG$hPG
                                  • API String ID: 4113138495-4177492676
                                  • Opcode ID: 79d3a8a708a64aea57361e3084ac94982208e9b0b63170387c171430dbef8cca
                                  • Instruction ID: abfa5a3658aec55442980c0effbd4670719d50d4d7308f226e3cac976b3f196c
                                  • Opcode Fuzzy Hash: 79d3a8a708a64aea57361e3084ac94982208e9b0b63170387c171430dbef8cca
                                  • Instruction Fuzzy Hash: CB2195315082019BC314FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA09C65B
                                  Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                    • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                    • Part of subcall function 004137AA: RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EF0,00000000), ref: 004137E1
                                    • Part of subcall function 004137AA: RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EF0,00000000,?,00408798,00000001), ref: 004137EC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateInfoParametersSystemValue
                                  • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                  • API String ID: 4127273184-3576401099
                                  • Opcode ID: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                                  • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                  • Opcode Fuzzy Hash: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                                  • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                  Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474F08,?,0043CE65,FF8BC35D,00474F08,00474F08), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                  • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                  • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                  • String ID:
                                  • API String ID: 4212172061-0
                                  • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                  • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                  • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                  • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                  Function 021B1FBF Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 021A84FC: GetLastError.KERNEL32(?,0219F9D7,0219AADC,0219F9D7,00474F08,?,0219D0CC,FF8BC35D,00474F08,00474F08), ref: 021A8500
                                    • Part of subcall function 021A84FC: _free.LIBCMT ref: 021A8533
                                    • Part of subcall function 021A84FC: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 021A8574
                                    • Part of subcall function 021A84FC: _abort.LIBCMT ref: 021A857A
                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,021A4D5B,?,?,?,?,021A47B2,?,00000004), ref: 021B20A1
                                  • _wcschr.LIBVCRUNTIME ref: 021B2131
                                  • _wcschr.LIBVCRUNTIME ref: 021B213F
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,021A4D5B,00000000,021A4E7B), ref: 021B21E2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                  • String ID:
                                  • API String ID: 4212172061-0
                                  • Opcode ID: 99cd805ed4c2df00003a48f1a6811e4fd7c7d64455718b3e19dbc584044dc3e8
                                  • Instruction ID: bb076485108f83658a701cdce40ed9734f9179823408ba5036279b0f28caa5cc
                                  • Opcode Fuzzy Hash: 99cd805ed4c2df00003a48f1a6811e4fd7c7d64455718b3e19dbc584044dc3e8
                                  • Instruction Fuzzy Hash: A661E672680206AEDB27AB34CC45BE673B8EF08710F15046AEE09D7190EB74E948CB64
                                  Function 0217CCDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0217CDCF
                                    • Part of subcall function 02173A11: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 02173A20
                                    • Part of subcall function 02173A11: RegSetValueExA.ADVAPI32(0046612C,0046CBC8,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0217CDA9,0046CBC8,0046612C,00000001,00474EF0,00000000), ref: 02173A48
                                    • Part of subcall function 02173A11: RegCloseKey.ADVAPI32(0046612C,?,?,0217CDA9,0046CBC8,0046612C,00000001,00474EF0,00000000,?,021689FF,00000001), ref: 02173A53
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateInfoParametersSystemValue
                                  • String ID: ,aF$Control Panel\Desktop
                                  • API String ID: 4127273184-2883592193
                                  • Opcode ID: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                                  • Instruction ID: 458bfb10692331d59fcc7395e92c30125bad3663d610534ffcb2ecdbbdefa930
                                  • Opcode Fuzzy Hash: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                                  • Instruction Fuzzy Hash: 16119D22BC024036D918313D9D5BFBE2C268387F61F91415BEA123A6C5FBDB5A5143CB
                                  Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474F08,?,0043CE65,FF8BC35D,00474F08,00474F08), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                  • String ID: p'E$JD
                                  • API String ID: 1084509184-908320845
                                  • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                  • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                  • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                  • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                  Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474F08,?,0043CE65,FF8BC35D,00474F08,00474F08), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 00448301
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorInfoLastLocale$_free$_abort
                                  • String ID:
                                  • API String ID: 2829624132-0
                                  • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                  • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                  • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                  • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                  Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                  • String ID:
                                  • API String ID: 3906539128-0
                                  • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                  • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                  • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                  • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                  Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,00000000), ref: 004338DA
                                  • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                  • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Crypt$Context$AcquireRandomRelease
                                  • String ID:
                                  • API String ID: 1815803762-0
                                  • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                  • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                  • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                  • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                  Function 02193B2F Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,021938B5,00000024,?,?,?), ref: 02193B41
                                  • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02193B57
                                  • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 02193B69
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Crypt$Context$AcquireRandomRelease
                                  • String ID:
                                  • API String ID: 1815803762-0
                                  • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                  • Instruction ID: 9b828e9844d3873c6783b38a2301708385ef21993c14ac3854a84694124a749f
                                  • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                  • Instruction Fuzzy Hash: 4EE09231248310FAEF311F25AC08F573A64EB81F65F210979F222E50E4D3528800C51C
                                  Function 00443355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,?,0044332B,00000000,0046E958,0000000C,00443482,00000000,00000002,00000000), ref: 00443376
                                  • TerminateProcess.KERNEL32(00000000,?,0044332B,00000000,0046E958,0000000C,00443482,00000000,00000002,00000000), ref: 0044337D
                                  • ExitProcess.KERNEL32 ref: 0044338F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CurrentExitTerminate
                                  • String ID:
                                  • API String ID: 1703294689-0
                                  • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                  • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                  • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                  • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                  Function 021A35BC Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,?,021A3592,00000000,0046E958,0000000C,021A36E9,00000000,00000002,00000000), ref: 021A35DD
                                  • TerminateProcess.KERNEL32(00000000,?,021A3592,00000000,0046E958,0000000C,021A36E9,00000000,00000002,00000000), ref: 021A35E4
                                  • ExitProcess.KERNEL32 ref: 021A35F6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CurrentExitTerminate
                                  • String ID:
                                  • API String ID: 1703294689-0
                                  • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                  • Instruction ID: 7e01604bff5e1344e1d1178709af3495f666290b2c7bfe3ac917124572f7a77e
                                  • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                  • Instruction Fuzzy Hash: E6E0EC35440208FFCF116F68DE68B483B6BEF40742F1084A4F9198A172CB36DD52CB94
                                  Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenClipboard.USER32(00000000), ref: 0040B74C
                                  • GetClipboardData.USER32(0000000D), ref: 0040B758
                                  • CloseClipboard.USER32 ref: 0040B760
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Clipboard$CloseDataOpen
                                  • String ID:
                                  • API String ID: 2058664381-0
                                  • Opcode ID: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                                  • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                  • Opcode Fuzzy Hash: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                                  • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                  Function 0041BBC6 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                                  • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                                  • CloseHandle.KERNEL32(00000000,?,?,0041605F,00000000), ref: 0041BBE7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CloseHandleOpenResume
                                  • String ID:
                                  • API String ID: 3614150671-0
                                  • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                  • Instruction ID: dbaabbb0ea2570487ff62d8cf89bd30b477e7113d13ca21b8680662729a76e86
                                  • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                  • Instruction Fuzzy Hash: 66D05E36204121E3C320176A7C0CD97AD68DBC5AA2705412AF804C26649A60CC0186E4
                                  Function 0041BB9A Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                                  • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                                  • CloseHandle.KERNEL32(00000000,?,?,0041603A,00000000), ref: 0041BBBB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CloseHandleOpenSuspend
                                  • String ID:
                                  • API String ID: 1999457699-0
                                  • Opcode ID: 15699d522662e94a36dc9f627e6c03bf4f255e4023340f214c75571920ff47a0
                                  • Instruction ID: 1e4755145751be78863ec26184204985b99a3e1fec7ed1e2fa2d7a7f5aac3163
                                  • Opcode Fuzzy Hash: 15699d522662e94a36dc9f627e6c03bf4f255e4023340f214c75571920ff47a0
                                  • Instruction Fuzzy Hash: 73D05E36104121E3C6211B6A7C0CD97AD68DFC5AA2705412AF904D26509A20CC0186E4
                                  Function 0217BE01 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,021762A1,00000000), ref: 0217BE0C
                                  • NtSuspendProcess.NTDLL(00000000), ref: 0217BE19
                                  • CloseHandle.KERNEL32(00000000,?,?,021762A1,00000000), ref: 0217BE22
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CloseHandleOpenSuspend
                                  • String ID:
                                  • API String ID: 1999457699-0
                                  • Opcode ID: 15699d522662e94a36dc9f627e6c03bf4f255e4023340f214c75571920ff47a0
                                  • Instruction ID: ef1ac62414abf87b10a8c32fa2a4d23018de2cb1209aefc332a690c25c2406ef
                                  • Opcode Fuzzy Hash: 15699d522662e94a36dc9f627e6c03bf4f255e4023340f214c75571920ff47a0
                                  • Instruction Fuzzy Hash: 52D05E37104121E7C220176A7C0CDA7ED68DFC9AA37054129F904C22509B20CC0186A4
                                  Function 0217BE2D Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,021762C6,00000000), ref: 0217BE38
                                  • NtResumeProcess.NTDLL(00000000), ref: 0217BE45
                                  • CloseHandle.KERNEL32(00000000,?,?,021762C6,00000000), ref: 0217BE4E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CloseHandleOpenResume
                                  • String ID:
                                  • API String ID: 3614150671-0
                                  • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                  • Instruction ID: 5ea23e0e1c998b620119e3d6df2383b629b7b67571d66d0c76cef7aad3c50e3e
                                  • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                  • Instruction Fuzzy Hash: 7ED05E36204221E3C320176A7C0CD57EE78DFC5EA27254129F904C2254AB20CC0186A4
                                  Function 0216092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: .$GetProcAddress.$l
                                  • API String ID: 0-2784972518
                                  • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                  • Instruction ID: 9d09f4bf71310db208545c88e6d1876d258cb477de8417cdf57686ef8e2b68ec
                                  • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                  • Instruction Fuzzy Hash: C33168B6900609CFDB10CF99C884BAEBBFAFF08324F15414AD845A7310D7B1EA55CBA4
                                  Function 00434CB6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FeaturePresentProcessor
                                  • String ID:
                                  • API String ID: 2325560087-3916222277
                                  • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                  • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                  • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                  • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                  Function 0044E8F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: .
                                  • API String ID: 0-248832578
                                  • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                  • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                                  • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                  • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                                  Function 021AEB60 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: .
                                  • API String ID: 0-248832578
                                  • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                  • Instruction ID: cc7c2f7f11e0bf96771dc186c3dba2d9f58209d59380316325cde95c39870a16
                                  • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                  • Instruction Fuzzy Hash: A431077594024DAFDB249E78CC98EEABBBEDF85314F0401B8E41997250E7309A458F60
                                  Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474F08,?,0043CE65,FF8BC35D,00474F08,00474F08), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                  • String ID: JD
                                  • API String ID: 1084509184-2669065882
                                  • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                  • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                  • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                  • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                  Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID: GetLocaleInfoEx
                                  • API String ID: 2299586839-2904428671
                                  • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                  • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                  • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                  • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                  Function 021A64D7 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 10f83df0c90a6610a8b53eb74bb6e058e5cc0ba0fe3e6508f91dd3b8627a5a0d
                                  • Instruction ID: 3f3f9acc0f6ff67bcabd60badfff6eb942c84662c14937149a5f0b2817ad5491
                                  • Opcode Fuzzy Hash: 10f83df0c90a6610a8b53eb74bb6e058e5cc0ba0fe3e6508f91dd3b8627a5a0d
                                  • Instruction Fuzzy Hash: 6D025C76E402599FDF18CFA9C8906ADBBF5FF88314F198169D919E7380D731A941CB80
                                  Function 0041B69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750F4), ref: 0041B6BB
                                  • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Name$ComputerUser
                                  • String ID:
                                  • API String ID: 4229901323-0
                                  • Opcode ID: e75705911cc2a0b46837e609ad128fde2e6df1d534e004a7f5bb61fdffa7900c
                                  • Instruction ID: 96a0ba9ffe47efa01ac310f3847ceb2d7b3b0148e4494d8e74ae155582b6cc75
                                  • Opcode Fuzzy Hash: e75705911cc2a0b46837e609ad128fde2e6df1d534e004a7f5bb61fdffa7900c
                                  • Instruction Fuzzy Hash: 9E014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E888BA8
                                  Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,00000000), ref: 00412122
                                  • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00412129
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$FreeProcess
                                  • String ID:
                                  • API String ID: 3859560861-0
                                  • Opcode ID: 95356b50ae1c40d028bb7c10486cf6eec28d3cbd66e590edfc92b155960a397c
                                  • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                                  • Opcode Fuzzy Hash: 95356b50ae1c40d028bb7c10486cf6eec28d3cbd66e590edfc92b155960a397c
                                  • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                                  Function 004533AB Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004533A6,?,?,00000008,?,?,0045625D,00000000), ref: 004535D8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionRaise
                                  • String ID:
                                  • API String ID: 3997070919-0
                                  • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                  • Instruction ID: 7263c04077df6a1dd25da4ac29b5b982fa38ace811980f45f75c7c5cedc24273
                                  • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                  • Instruction Fuzzy Hash: 0FB13B315106089FD715CF28C48AB657BE0FF053A6F25865DE899CF3A2C339EA96CB44
                                  Function 021B3612 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,021B360D,?,?,00000008,?,?,021B64C4,00000000), ref: 021B383F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionRaise
                                  • String ID:
                                  • API String ID: 3997070919-0
                                  • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                  • Instruction ID: 543f34b944d8c4c1d88063f6226d1d7e8427a194eaaa4d9ef7a22e16232471e1
                                  • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                  • Instruction Fuzzy Hash: B5B16275550609DFDB1ACF28C48AB947BF0FF45364F258698E8A9CF2A1C335D9A1CB40
                                  Function 004339D7 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                  • Instruction ID: b5ae8e6f7fa87a7dee9e60626e0a37a25df5f2dd99b83f8da903d7583ecded6c
                                  • Opcode Fuzzy Hash: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                  • Instruction Fuzzy Hash: 0C129E727083048BD304DF65D882A1EB7E2BFCC758F15892EF495AB381DA74E915CB86
                                  Function 02193C3E Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                  • Instruction ID: 3ad422d48cecebca5a9069d9d30828f6925841b05388aad5138928370824b5f1
                                  • Opcode Fuzzy Hash: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                  • Instruction Fuzzy Hash: 65125C326483008FDB14EF65C851A1FF3E2BFC8754F198A6DE496A7390DB74E9458B82
                                  Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474F08,?,0043CE65,FF8BC35D,00474F08,00474F08), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 00448301
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$_free$InfoLocale_abort
                                  • String ID:
                                  • API String ID: 1663032902-0
                                  • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                  • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                  • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                  • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                  Function 021B25FA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 021A84FC: GetLastError.KERNEL32(?,0219F9D7,0219AADC,0219F9D7,00474F08,?,0219D0CC,FF8BC35D,00474F08,00474F08), ref: 021A8500
                                    • Part of subcall function 021A84FC: _free.LIBCMT ref: 021A8533
                                    • Part of subcall function 021A84FC: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 021A8574
                                    • Part of subcall function 021A84FC: _abort.LIBCMT ref: 021A857A
                                    • Part of subcall function 021A84FC: _free.LIBCMT ref: 021A855B
                                    • Part of subcall function 021A84FC: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 021A8568
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 021B264E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$_free$InfoLocale_abort
                                  • String ID:
                                  • API String ID: 1663032902-0
                                  • Opcode ID: 92b4d6e99215bbe04ae581cd80a63159ab80ee2b3c46d7f2f4da99747f448a1f
                                  • Instruction ID: 8d77bc7e82d9b2215589d15b964a7642d8aee667e8bfc05b0f3208f8183bc701
                                  • Opcode Fuzzy Hash: 92b4d6e99215bbe04ae581cd80a63159ab80ee2b3c46d7f2f4da99747f448a1f
                                  • Instruction Fuzzy Hash: A321C57259020AAFDB2AAE78DC45BFA73BCEF04314F0001BAED01C6150EB349D88CB94
                                  Function 021B2282 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 021A84FC: GetLastError.KERNEL32(?,0219F9D7,0219AADC,0219F9D7,00474F08,?,0219D0CC,FF8BC35D,00474F08,00474F08), ref: 021A8500
                                    • Part of subcall function 021A84FC: _free.LIBCMT ref: 021A8533
                                    • Part of subcall function 021A84FC: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 021A8574
                                    • Part of subcall function 021A84FC: _abort.LIBCMT ref: 021A857A
                                  • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,021A4D54,?,021B29D7,00000000,?,?,?), ref: 021B22F4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                  • String ID:
                                  • API String ID: 1084509184-0
                                  • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                  • Instruction ID: eeb2b8367307b075f783a111e75be5eae32e633ed06498192c296950427ba75d
                                  • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                  • Instruction Fuzzy Hash: 5A11253A6007019FDB18AF39C8A0BBAB7A2FF84359B14482DE94687A50D371B906CB40
                                  Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474F08,?,0043CE65,FF8BC35D,00474F08,00474F08), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$InfoLocale_abort_free
                                  • String ID:
                                  • API String ID: 2692324296-0
                                  • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                  • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                  • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                  • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                  Function 021B282A Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 021A84FC: GetLastError.KERNEL32(?,0219F9D7,0219AADC,0219F9D7,00474F08,?,0219D0CC,FF8BC35D,00474F08,00474F08), ref: 021A8500
                                    • Part of subcall function 021A84FC: _free.LIBCMT ref: 021A8533
                                    • Part of subcall function 021A84FC: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 021A8574
                                    • Part of subcall function 021A84FC: _abort.LIBCMT ref: 021A857A
                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,021B25C8,00000000,00000000,?), ref: 021B2856
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$InfoLocale_abort_free
                                  • String ID:
                                  • API String ID: 2692324296-0
                                  • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                  • Instruction ID: e822f4df0b983ad13066111b8556e00ecb6257a6c0b4d652a090de94b11a8601
                                  • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                  • Instruction Fuzzy Hash: 93F0F432A90215BBDF2A5A65C809BFA77B8EF40718F050479EC09A3150EB34FD45C690
                                  Function 021B231D Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 021A84FC: GetLastError.KERNEL32(?,0219F9D7,0219AADC,0219F9D7,00474F08,?,0219D0CC,FF8BC35D,00474F08,00474F08), ref: 021A8500
                                    • Part of subcall function 021A84FC: _free.LIBCMT ref: 021A8533
                                    • Part of subcall function 021A84FC: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 021A8574
                                    • Part of subcall function 021A84FC: _abort.LIBCMT ref: 021A857A
                                  • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,021A4D54,?,021B299B,021A4D54,?,?,?,?,?,021A4D54,?,?), ref: 021B2369
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                  • String ID:
                                  • API String ID: 1084509184-0
                                  • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                  • Instruction ID: 9f1b9aefec95f67aac5b08eae8b36ba041c2ae33cad000e4b7bfa3bbd34ebcc6
                                  • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                  • Instruction Fuzzy Hash: 3AF022362403045FDB155F79D880BAB7BA1EF85768B05442DED458B670D3B198028A00
                                  Function 021A8BD4 Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,021A47B2,?,00000004), ref: 021A8C27
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID:
                                  • API String ID: 2299586839-0
                                  • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                  • Instruction ID: 08d14f972d6c6d36058e144d0c7b5ab84646ec8b3bcf30d1f8357ddf22e416c3
                                  • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                  • Instruction Fuzzy Hash: 2CF0F03168130CFBCB016F60CC05FAE7B26EF08711F414565BC09662A1EB318D209A99
                                  Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00445909: RtlEnterCriticalSection.KERNEL32(?,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                  • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                  • String ID:
                                  • API String ID: 1272433827-0
                                  • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                  • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                  • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                  • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                  Function 021A86EB Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 021A5B70: RtlEnterCriticalSection.NTDLL(?), ref: 021A5B7F
                                  • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 021A8723
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                  • String ID:
                                  • API String ID: 1272433827-0
                                  • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                  • Instruction ID: f02fd9576973b7d27b60a32155e7221ced061c9032323426df70dc2665564d7f
                                  • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                  • Instruction Fuzzy Hash: 43F04F7AA90304EFDB01EF68D985B5D37E2EB04721F104466F414DB2A0DB7489809F49
                                  Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474F08,?,0043CE65,FF8BC35D,00474F08,00474F08), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                  • String ID:
                                  • API String ID: 1084509184-0
                                  • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                  • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                  • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                  • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                  Function 021B2237 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 021A84FC: GetLastError.KERNEL32(?,0219F9D7,0219AADC,0219F9D7,00474F08,?,0219D0CC,FF8BC35D,00474F08,00474F08), ref: 021A8500
                                    • Part of subcall function 021A84FC: _free.LIBCMT ref: 021A8533
                                    • Part of subcall function 021A84FC: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 021A8574
                                    • Part of subcall function 021A84FC: _abort.LIBCMT ref: 021A857A
                                  • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,021B29F9,021A4D54,?,?,?,?,?,021A4D54,?,?,?), ref: 021B226E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                  • String ID:
                                  • API String ID: 1084509184-0
                                  • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                  • Instruction ID: 7f78feaa00504d6f91bb69e1fef76cd291e946324bfe11509b738022c02e76a8
                                  • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                  • Instruction Fuzzy Hash: F8F0553A38020497CB05AF79D804BAA7FA0EFC1714F060098EE05CB261C3319842C764
                                  Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EF0,00475A10,00474EF0,00000000,00474EF0,00000000,00474EF0,5.2.0 Pro), ref: 0040F920
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID:
                                  • API String ID: 2299586839-0
                                  • Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                  • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                  • Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                  • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                  Function 0216FB73 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,?,00000003), ref: 0216FB87
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID:
                                  • API String ID: 2299586839-0
                                  • Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                  • Instruction ID: 72f5b5fef7d668b4fa84dab2aafe63f67438e3632abc6974e0b58ad676c15ad4
                                  • Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                  • Instruction Fuzzy Hash: 1ED05B3074021C7BD61096959C0AEAA779CD705B52F000195BE05D72C0D9A05E0047D1
                                  Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                  • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                  • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                  • Instruction Fuzzy Hash:
                                  Function 0043DEED Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                  • Instruction ID: 84bf5d8b6cf777f915eff3509e2c27b9c7ae744ab127a35c194aadb47efed811
                                  • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                  • Instruction Fuzzy Hash: E1517761E0660557DF38892A94D67BF23A59B4E308F18351FE483CB3C2C65EEE06835E
                                  Function 0219E383 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                  • Instruction ID: 427db7c31ace1758bb28f3aec44e3d5f7b825d91927fc0336aa28b7abd15c20a
                                  • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                  • Instruction Fuzzy Hash: 1B515C716C4744ABEF38C97CC5547FF67DA9B0B608F08092BD882C7682D756E642CB92
                                  Function 0219E154 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                  • Instruction ID: 9286ea88ced528486b03d46918314f120ac6e7f2c5c0d99ef4a9816ea32c2cb0
                                  • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                  • Instruction Fuzzy Hash: 485159B17C06445BEF3CCA68C9557BF37DAAB46348F08052BD892C7681D715E642CB92
                                  Function 00427AD7 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: @
                                  • API String ID: 0-2766056989
                                  • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                  • Instruction ID: bbd91956ea41f9089fdf4ea26de33e0e8d132f349ea16d9e77f48d305cf446da
                                  • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                  • Instruction Fuzzy Hash: F1412975A183558FC340CF29D58020AFBE1FFC8318F645A1EF889A3350D379E9428B86
                                  Function 02187D3E Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: @
                                  • API String ID: 0-2766056989
                                  • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                  • Instruction ID: 3f63b5a335d2b96ff5ac428e8ccb87267c80a2dccfd142303d75216f57ada8b6
                                  • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                  • Instruction Fuzzy Hash: 6941FA769187458BC344CF29C58061AFBE1FFD8314F655A1EF89993390E376E9428F82
                                  Function 0044DA49 Relevance: .6, Instructions: 637COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                  • Instruction ID: 4200599dcb49c21c1ca78238ad82984ca11e49a574bdd01b256a4bdf4e559873
                                  • Opcode Fuzzy Hash: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                  • Instruction Fuzzy Hash: D2322521D69F414DE7239A35CC22336A24CBFB73C5F15D737E81AB5AAAEB29C4834105
                                  Function 0041F18B Relevance: .6, Instructions: 598COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 51b096497e0208ccec2a2f4b5eaf582f7b18d03e206244163c5319e84589e6e5
                                  • Instruction ID: 06c66d0f35fb266b7f69fbfce4f1f639eb17408d85dd7e5468211ecdc8378744
                                  • Opcode Fuzzy Hash: 51b096497e0208ccec2a2f4b5eaf582f7b18d03e206244163c5319e84589e6e5
                                  • Instruction Fuzzy Hash: 7932C2716087459BC715DF28C4807ABB7E5BF84318F040A3EF89587392D779D98ACB8A
                                  Function 0217F3F2 Relevance: .6, Instructions: 598COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 51b096497e0208ccec2a2f4b5eaf582f7b18d03e206244163c5319e84589e6e5
                                  • Instruction ID: a2bbcd7d58c8bb8845bd83b1bb5b0ab2ca23b3fb40e7d245958717e7540a6d18
                                  • Opcode Fuzzy Hash: 51b096497e0208ccec2a2f4b5eaf582f7b18d03e206244163c5319e84589e6e5
                                  • Instruction Fuzzy Hash: 9332C2316887469BC729CF28C49076BB7F5BFC8318F144A2DF8A587691D770D946CB82
                                  Function 0042742E Relevance: .4, Instructions: 435COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cd36fe8c387ca2855096d15b7bf2cfed8e34aa58cb0db234df7a19e6c716ea84
                                  • Instruction ID: b033fe34555866f616fd3cc64b543b740d9cc82fbf2d17309ab2a27531c6336b
                                  • Opcode Fuzzy Hash: cd36fe8c387ca2855096d15b7bf2cfed8e34aa58cb0db234df7a19e6c716ea84
                                  • Instruction Fuzzy Hash: 6C02CEB17046528BC358CF2EEC5053AB7E1AB8D311744863EE495C7781EB35FA22CB94
                                  Function 02187695 Relevance: .4, Instructions: 435COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cd36fe8c387ca2855096d15b7bf2cfed8e34aa58cb0db234df7a19e6c716ea84
                                  • Instruction ID: 3baaf893b3a5daa46a5f38a99b4bfb8dbc31d3abcfa05a257e0808b447cc491d
                                  • Opcode Fuzzy Hash: cd36fe8c387ca2855096d15b7bf2cfed8e34aa58cb0db234df7a19e6c716ea84
                                  • Instruction Fuzzy Hash: 6F02BFB16146518FC358CF2EEC9053AF7E1AB8D311744863EE595C7381EB35E922CB94
                                  Function 00426E9F Relevance: .4, Instructions: 383COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 88b47d59bd8f9e39717b2a9a8c0dcea2e64fabbb26349240269cb2a589f8870d
                                  • Instruction ID: 06b531cc06dcd57701b547059d2c567c45bbe225ee7d26ac7aed84b394be02a5
                                  • Opcode Fuzzy Hash: 88b47d59bd8f9e39717b2a9a8c0dcea2e64fabbb26349240269cb2a589f8870d
                                  • Instruction Fuzzy Hash: 2DF19D716142558FC348CF1DE8A187BB3E1FB89311B450A2EF582C3391DB79EA16CB56
                                  Function 02187106 Relevance: .4, Instructions: 383COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 55cc36af361bbb429cac2c1a49b81fe186fd90216d15d23d5244979f9e081e2e
                                  • Instruction ID: 9c654da2397ff92024e8e5d7315306d1621a62a1f1df6a4c79fb830e998fecb0
                                  • Opcode Fuzzy Hash: 55cc36af361bbb429cac2c1a49b81fe186fd90216d15d23d5244979f9e081e2e
                                  • Instruction Fuzzy Hash: D1F19D756142548FC348DF1DE8A083BB3E5FB89311B440A2EF582C7391DB75EA16CBA6
                                  Function 00437DB3 Relevance: .3, Instructions: 345COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                  • Instruction ID: 2ce137016e68017aebaac4bbf916a57dff7c64f07ba89619fc9d118b501662d8
                                  • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                  • Instruction Fuzzy Hash: F9C1D5B22091930AEF3D4639853063FFAA05E957B171A635FE4F2CB2D4FE18C924D514
                                  Function 004381E8 Relevance: .3, Instructions: 341COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                  • Instruction ID: bc2d6065b6eca92eb436045fb502f22698d18e4b36ed1375ff5d5b4a3f5914d0
                                  • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                  • Instruction Fuzzy Hash: 75C1D7722091930AEF2D4739853463FFAA15EA57B171A236FE4F2CB2D4FE28C924D514
                                  Function 0043797E Relevance: .3, Instructions: 331COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                  • Instruction ID: 708e8454946620f186a1700387687a053fc407bd339bf74556c1f47a113f5a1a
                                  • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                  • Instruction Fuzzy Hash: 95C1C3B220D0930AEF3D4639853063FFAA15EA67B171A675ED4F2CB2D4FE18C924D614
                                  Function 00437566 Relevance: .3, Instructions: 323COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                  • Instruction ID: 79ee4f31eba35b7567f7a499d226924a3a6c1d38d98321864059dc3c63d33f3d
                                  • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                  • Instruction Fuzzy Hash: 76C1E6B220D0930AEF3D4639853463FBAA15EA57B171A236FD4F2CB2D4FE18C924C614
                                  Function 0041DBF3 Relevance: .3, Instructions: 277COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a138c4e0aeabb2bccdb66877e2b9435159f75a40726a9d3314504188017a6109
                                  • Instruction ID: 096ff1c695f9ab27d4b2dbab46670c8098de74970727e2ec16deab2a6828ec1d
                                  • Opcode Fuzzy Hash: a138c4e0aeabb2bccdb66877e2b9435159f75a40726a9d3314504188017a6109
                                  • Instruction Fuzzy Hash: EAB1A37951429A8ACB05EF68C4913F63BA1EF6A301F0850B9EC9CCF757D2398506EB24
                                  Function 0217DE5A Relevance: .3, Instructions: 277COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a138c4e0aeabb2bccdb66877e2b9435159f75a40726a9d3314504188017a6109
                                  • Instruction ID: 1158c9fd52fd9565e81cbd4c927c68b36b9ffd44fed769cb7986d624c5910e34
                                  • Opcode Fuzzy Hash: a138c4e0aeabb2bccdb66877e2b9435159f75a40726a9d3314504188017a6109
                                  • Instruction Fuzzy Hash: 60B171391142998ACB05EF68C4913F63BA1EFAA300F4850B9EC9CCF756E3358506EB64
                                  Function 0043E34B Relevance: .2, Instructions: 237COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                  • Instruction ID: 32d6082e35155a0a096806a6943d6f48c3d67459c64856e3d931f7c23e0710f9
                                  • Opcode Fuzzy Hash: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                  • Instruction Fuzzy Hash: 59618971202709A6EE34892B88967BF63949F6D314F10342FE983DB3C1D65DDD82931E
                                  Function 0043E5A8 Relevance: .2, Instructions: 237COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                  • Instruction ID: 5d22fc1bcc5d638cf6a4a0606be4d5c4d5bba199c703cf788a7f99cafe8d65e8
                                  • Opcode Fuzzy Hash: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                  • Instruction Fuzzy Hash: 12615871602718A6DA38592B88977BF2384EB2D344F94351BE483DB3C1D75EAD43871E
                                  Function 0219E5B2 Relevance: .2, Instructions: 237COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                  • Instruction ID: 8e362a04082efdd1f240133aefe7c7852c344e57326c2753f5ab881145ac45cc
                                  • Opcode Fuzzy Hash: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                  • Instruction Fuzzy Hash: 2C614A716C07186ADE3CDA68C8957BE33A6EF45708F04081BDA53DB282D712D942CBD7
                                  Function 0219E80F Relevance: .2, Instructions: 237COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                  • Instruction ID: 3e074281ad8793a72859bcbc68770a5c4a85d7207cd207d211368806f67cb99d
                                  • Opcode Fuzzy Hash: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                  • Instruction Fuzzy Hash: C4613671AC0709AEDF38DFA8C8947BE6395EB01748F04093BE892DB6D0D752D982CB55
                                  Function 0043E11C Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                  • Instruction ID: 6c705508b021f12d90b9f9697341ee8142861c1d23b7247138392dbd6e0aa073
                                  • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                  • Instruction Fuzzy Hash: 59517671603604A7EF3445AB85567BF63899B0E304F18395FE882C73C2C52DDE02875E
                                  Function 00427C40 Relevance: .2, Instructions: 187COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f668ae4ce8ddce9dd25c23f8729a4a0b6b4a9a792d26258ec3aea80ac56d2768
                                  • Instruction ID: d4d389248adab082d17fbdeb677dfbf93ddf16fcbb8c162b69e64d6cf0e33668
                                  • Opcode Fuzzy Hash: f668ae4ce8ddce9dd25c23f8729a4a0b6b4a9a792d26258ec3aea80ac56d2768
                                  • Instruction Fuzzy Hash: 61615B72A083059BC308DF35E481A5FB7E4AFCC718F814E2EF595D6151EA74EA08CB86
                                  Function 02187EA7 Relevance: .2, Instructions: 187COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f668ae4ce8ddce9dd25c23f8729a4a0b6b4a9a792d26258ec3aea80ac56d2768
                                  • Instruction ID: e2d38126294512e9f9602b4f68321c0395f325d55032cff63009cfb57cc80dfc
                                  • Opcode Fuzzy Hash: f668ae4ce8ddce9dd25c23f8729a4a0b6b4a9a792d26258ec3aea80ac56d2768
                                  • Instruction Fuzzy Hash: 6D616C76A483449FC304EF34D880A5BF7E9AFC8714F550E2DF49596190EB71EA098F92
                                  Function 004387F0 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                  • Instruction ID: 582e3a7babb983407823034c482dc4f24404013c153b7f4d28c3fef3b0c68a44
                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                  • Instruction Fuzzy Hash: 43113B7720034183D60CAA6DC4B45BBD795EADE320FBD627FF0414B744CA2AD4459508
                                  Function 02198A57 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                  • Instruction ID: 17caa6b0ff48d336bfaf8de87e964d1e421c52884c798f396ec14c5a93a08ccb
                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                  • Instruction Fuzzy Hash: 89112C772C114243DE54CA3DD8B46B7E795EBC712872F477AD1424B798E362E144D600
                                  Function 02160D90 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                  • Instruction ID: 8aefb2e03bfe832e8c935329caa654c986fc1f0a6ad12d7bc440d1f32141431e
                                  • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                  • Instruction Fuzzy Hash: 0001F272A506008FDF21CF64C808BBE33E5FB8A206F1541A8D90B97281E370A851CB80
                                  Function 00418EB1 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                  • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                    • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                  • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                  • DeleteDC.GDI32(00000000), ref: 00418F65
                                  • DeleteDC.GDI32(00000000), ref: 00418F68
                                  • DeleteObject.GDI32(00000000), ref: 00418F6B
                                  • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                  • DeleteDC.GDI32(00000000), ref: 00418F9D
                                  • DeleteDC.GDI32(00000000), ref: 00418FA0
                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                  • GetCursorInfo.USER32(?), ref: 00418FE2
                                  • GetIconInfo.USER32(?,?), ref: 00418FF8
                                  • DeleteObject.GDI32(?), ref: 00419027
                                  • DeleteObject.GDI32(?), ref: 00419034
                                  • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                  • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00660046), ref: 00419077
                                  • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                  • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                  • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                  • DeleteDC.GDI32(?), ref: 004191B7
                                  • DeleteDC.GDI32(00000000), ref: 004191BA
                                  • DeleteObject.GDI32(00000000), ref: 004191BD
                                  • GlobalFree.KERNEL32(?), ref: 004191C8
                                  • DeleteObject.GDI32(00000000), ref: 0041927C
                                  • GlobalFree.KERNEL32(?), ref: 00419283
                                  • DeleteDC.GDI32(?), ref: 00419293
                                  • DeleteDC.GDI32(00000000), ref: 0041929E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                  • String ID: DISPLAY
                                  • API String ID: 4256916514-865373369
                                  • Opcode ID: a332c2859ef59da40decfcbeef2faf7b264db83c1a690ef57184ee4fa2b6b732
                                  • Instruction ID: 987d9a4534759b20ade43e5cc0d007ec6aae9fd5378911baa39845865ae00971
                                  • Opcode Fuzzy Hash: a332c2859ef59da40decfcbeef2faf7b264db83c1a690ef57184ee4fa2b6b732
                                  • Instruction Fuzzy Hash: D8C15C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                  Function 0041812A Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                  • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                  • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                  • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                  • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                  • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                  • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                  • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                  • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                  • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                  • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                  • ResumeThread.KERNEL32(?), ref: 00418470
                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                  • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                  • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                  • GetLastError.KERNEL32 ref: 004184B5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                  • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                  • API String ID: 4188446516-3035715614
                                  • Opcode ID: 6fe37197d8788220cf6427c040a72875e8f2824bd02e1a8f118f24072f5bfafb
                                  • Instruction ID: 6e605283caf6159cf0966bfa06415cd8be065dbd330dc5e1b11c181c8b11ae87
                                  • Opcode Fuzzy Hash: 6fe37197d8788220cf6427c040a72875e8f2824bd02e1a8f118f24072f5bfafb
                                  • Instruction Fuzzy Hash: 5AA14DB0604301AFDB209F64DD85B6B7BE8FB88745F04482EF689D6291EB78DC44CB59
                                  Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                                    • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(00475100), ref: 0040B902
                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                                    • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                  • ExitProcess.KERNEL32 ref: 0040D80B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                  • String ID: """, 0$")$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$HSG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$tMG$wend$while fso.FileExists("
                                  • API String ID: 1861856835-2336284224
                                  • Opcode ID: c4393fd19bccd6c2f879462f0d82df3a4d9ae7d33e2cc77a0976e46010ec0e0e
                                  • Instruction ID: 74aa42f7ec26bf67edaf4e1a165d404297a62af2c65c2789fcbb2c22ca84ca6d
                                  • Opcode Fuzzy Hash: c4393fd19bccd6c2f879462f0d82df3a4d9ae7d33e2cc77a0976e46010ec0e0e
                                  • Instruction Fuzzy Hash: B991B1316082005AC315FB62D8529AFB3A8AF94309F50443FB64AA71E3EF7C9D49C65E
                                  Function 0040D0D1 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 260registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00475300,?,pth_unenc), ref: 0040D1E0
                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00475300,?,pth_unenc), ref: 0040D223
                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00475300,?,pth_unenc), ref: 0040D232
                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                                    • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(00475100), ref: 0040B902
                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                  • ExitProcess.KERNEL32 ref: 0040D454
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                  • String ID: ")$.vbs$0i$HSG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$tMG$wend$while fso.FileExists("$xpF
                                  • API String ID: 3797177996-797285230
                                  • Opcode ID: 0fcb6c33d985934dd252e72b954aca4317726d392740a9dd8ed5da055631409f
                                  • Instruction ID: d04a29aa4e51556796b06844e147f4a7cb6a24a543372ca0e3e4f3e54a9e1c14
                                  • Opcode Fuzzy Hash: 0fcb6c33d985934dd252e72b954aca4317726d392740a9dd8ed5da055631409f
                                  • Instruction Fuzzy Hash: 7781A1716082405BC715FB62D8529AF73A8AF94308F10443FB58A671E3EF7C9E49C69E
                                  Function 004124B0 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750F4,00000003), ref: 004124CF
                                  • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                  • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                  • CloseHandle.KERNEL32(00000000), ref: 00412576
                                  • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                  • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                  • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                  • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                  • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                    • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                  • Sleep.KERNEL32(000001F4), ref: 004126BD
                                  • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                  • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                  • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                  • String ID: (TG$.exe$HSG$WDH$exepath$open$temp_
                                  • API String ID: 2649220323-4116078715
                                  • Opcode ID: 3e0ec8450686cced86593530f3de935c58d75cfb3801b14a39688fabd7981d3f
                                  • Instruction ID: 24c9a3d3f9f851b6826daa3a71410153ee30a0e468f06c14c2e22e8a151f545e
                                  • Opcode Fuzzy Hash: 3e0ec8450686cced86593530f3de935c58d75cfb3801b14a39688fabd7981d3f
                                  • Instruction Fuzzy Hash: B551C771A00315BBDB10ABA09C99EFE336D9B04755F10416BF901E72D2EFBC8E85865D
                                  Function 0041B0D8 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                  • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EF0,00000000), ref: 0041B21F
                                  • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                  • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                  • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                  • SetEvent.KERNEL32 ref: 0041B2AA
                                  • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                  • CloseHandle.KERNEL32 ref: 0041B2CB
                                  • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                  • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                  • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                  • API String ID: 738084811-1354618412
                                  • Opcode ID: bd2b110da2ca1fcfbc9f5f31ce9bad629eae98cdd776655ca49a8c48591233c8
                                  • Instruction ID: 3073296416e4f75d74a960dba2816641598052066ba22d453d93bca4cbe87184
                                  • Opcode Fuzzy Hash: bd2b110da2ca1fcfbc9f5f31ce9bad629eae98cdd776655ca49a8c48591233c8
                                  • Instruction Fuzzy Hash: 4E51A5B12442056ED714B731DC96EBF379CDB80359F10053FB24A621E2EF789D4986AE
                                  Function 02165901 Relevance: 35.3, APIs: 9, Strings: 11, Instructions: 278sleepfileprocessCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __Init_thread_footer.LIBCMT ref: 0216594D
                                    • Part of subcall function 02164D08: send.WS2_32(?,00000000,00000000,00000000), ref: 02164D9D
                                  • __Init_thread_footer.LIBCMT ref: 0216598A
                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BF8,00476CCC), ref: 02165AA6
                                  • Sleep.KERNEL32(0000012C,00000093,?), ref: 02165AFE
                                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02165B23
                                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 02165B50
                                    • Part of subcall function 02194A68: __onexit.LIBCMT ref: 02194A6E
                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474FA0,004660D0,00000062,004660B4), ref: 02165C4B
                                  • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 02165C65
                                  • TerminateProcess.KERNEL32(00000000), ref: 02165C7E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileInit_thread_footerProcessSleep$CreateNamedPeekPipeReadTerminateWrite__onexitsend
                                  • String ID: @lG$@lG$@lG$@lG$@lG$cmd.exe$kG$lG$lG$lG$lG
                                  • API String ID: 3407654705-4159140512
                                  • Opcode ID: 134deb1b74f7a267023d5b3d6be2b85919463e512a8c115b3230a96783d88e77
                                  • Instruction ID: 87ab007ae70e62a0b3c1fe5f65b10a041abd0c1e9d633b93da58037e6c78e600
                                  • Opcode Fuzzy Hash: 134deb1b74f7a267023d5b3d6be2b85919463e512a8c115b3230a96783d88e77
                                  • Instruction Fuzzy Hash: 2791D370680205BFC715AF34AD48E7E3BABEB44340F41443EF989972A1DB359C588FA9
                                  Function 02172717 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 190synchronizationsleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000), ref: 02172736
                                  • ExitProcess.KERNEL32(00000000), ref: 02172742
                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 021727BC
                                  • OpenProcess.KERNEL32(00100000,00000000,?), ref: 021727CB
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 021727D6
                                  • CloseHandle.KERNEL32(00000000), ref: 021727DD
                                  • GetCurrentProcessId.KERNEL32 ref: 021727E3
                                  • PathFileExistsW.SHLWAPI(?), ref: 02172814
                                  • GetTempPathW.KERNEL32(00000104,?), ref: 02172877
                                  • GetTempFileNameW.KERNEL32(?,0046C58C,00000000,?), ref: 02172891
                                  • lstrcatW.KERNEL32(?,0046C598), ref: 021728A3
                                    • Part of subcall function 0217C6E9: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0217C808,00000000,00000000,?), ref: 0217C728
                                  • Sleep.KERNEL32(000001F4), ref: 02172924
                                  • OpenProcess.KERNEL32(00100000,00000000,?), ref: 02172939
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02172944
                                  • CloseHandle.KERNEL32(00000000), ref: 0217294B
                                  • GetCurrentProcessId.KERNEL32 ref: 02172951
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExistsExitMutexNameSleeplstrcat
                                  • String ID: (TG$HSG$WDH$exepath
                                  • API String ID: 1507772987-3393174275
                                  • Opcode ID: 4d3f0b685dc8a736fe35167ab8bb01d6000fe9bcbab2a840902aa4913ecef93c
                                  • Instruction ID: 00cac219509600ddf7ff43ed9d2a9c0bf43443e8dee3d98cc6b987ff2e5c288d
                                  • Opcode Fuzzy Hash: 4d3f0b685dc8a736fe35167ab8bb01d6000fe9bcbab2a840902aa4913ecef93c
                                  • Instruction Fuzzy Hash: 8751B271A80325BFDB00ABA09C89EFE33BEAB55711F1041A5FD01A71D1EF748E468B64
                                  Function 00401CE9 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401D55
                                  • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401D7F
                                  • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401D8F
                                  • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401D9F
                                  • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401DAF
                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401DBF
                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401DD0
                                  • WriteFile.KERNEL32(00000000,00472ACA,00000002,00000000,00000000), ref: 00401DE1
                                  • WriteFile.KERNEL32(00000000,00472ACC,00000004,00000000,00000000), ref: 00401DF1
                                  • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401E01
                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401E12
                                  • WriteFile.KERNEL32(00000000,00472AD6,00000002,00000000,00000000), ref: 00401E23
                                  • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401E33
                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401E43
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Write$Create
                                  • String ID: RIFF$WAVE$data$fmt
                                  • API String ID: 1602526932-4212202414
                                  • Opcode ID: 827ce642555df21a050573d9d5a330f37f16d9829fec6a71b542a6fa22e9225d
                                  • Instruction ID: 52f5d26e7cd893c7c7a939122a780f0294375d64c437cdec10b118f5e091287a
                                  • Opcode Fuzzy Hash: 827ce642555df21a050573d9d5a330f37f16d9829fec6a71b542a6fa22e9225d
                                  • Instruction Fuzzy Hash: 61414D72644208BAE210DB51DD85FBB7FECEB89F54F40041AFA44D6081E7A5E909DBB3
                                  Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\YESOHDKMIm.exe,00000001,00407688,C:\Users\user\Desktop\YESOHDKMIm.exe,00000003,004076B0,0i,00407709), ref: 004072BF
                                  • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                  • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                  • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                  • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                  • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                  • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: C:\Users\user\Desktop\YESOHDKMIm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                  • API String ID: 1646373207-3979652426
                                  • Opcode ID: acc633f1adce617efce258e7e3813168510e5abee68bf21287a11e169d765cdb
                                  • Instruction ID: 830827c477b4c5a159b6e54fb752daf43fd3ce12eed95b51e760902f95858ec4
                                  • Opcode Fuzzy Hash: acc633f1adce617efce258e7e3813168510e5abee68bf21287a11e169d765cdb
                                  • Instruction Fuzzy Hash: 66015EA0E4431676DB116F7AAD44D5B7EDD9E41351311087BB405E2292EEBCE800C9AE
                                  Function 02179118 Relevance: 30.3, APIs: 20, Instructions: 328windowmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateDCA.GDI32(0046C888,00000000,00000000,00000000), ref: 02179132
                                  • CreateCompatibleDC.GDI32(00000000), ref: 0217913F
                                    • Part of subcall function 021795C7: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 021795F7
                                  • CreateCompatibleBitmap.GDI32(00000000,?), ref: 021791B5
                                  • DeleteObject.GDI32(00000000), ref: 021791D2
                                  • SelectObject.GDI32(00000000,00000000), ref: 021791F3
                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 0217922B
                                  • GetCursorInfo.USER32(?), ref: 02179249
                                  • GetIconInfo.USER32(?,?), ref: 0217925F
                                  • DeleteObject.GDI32(?), ref: 0217928E
                                  • DeleteObject.GDI32(?), ref: 0217929B
                                  • DrawIcon.USER32(00000000,?,?,?), ref: 021792A8
                                  • BitBlt.GDI32(00000000,00000000,00000000,?,?,00472DAC,00000000,00000000,00660046), ref: 021792DE
                                  • GetObjectA.GDI32(00000000,00000018,?), ref: 0217930A
                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 02179377
                                  • GlobalAlloc.KERNEL32(00000000,?), ref: 021793E6
                                  • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0217940A
                                  • DeleteObject.GDI32(00000000), ref: 02179424
                                  • GlobalFree.KERNEL32(?), ref: 0217942F
                                  • DeleteObject.GDI32(00000000), ref: 021794E3
                                  • GlobalFree.KERNEL32(?), ref: 021794EA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Object$Delete$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                  • String ID:
                                  • API String ID: 2309981249-0
                                  • Opcode ID: a332c2859ef59da40decfcbeef2faf7b264db83c1a690ef57184ee4fa2b6b732
                                  • Instruction ID: ffb9d61bdc598a5342dd9302ee9bae22c5a42a282cff54aa0a059c9f994b1724
                                  • Opcode Fuzzy Hash: a332c2859ef59da40decfcbeef2faf7b264db83c1a690ef57184ee4fa2b6b732
                                  • Instruction Fuzzy Hash: 7CC13571548345AFD724DF24DC48B6BBBF9EB88711F00482DF98997290DB30E908CBA6
                                  Function 0216D6C2 Relevance: 28.3, APIs: 4, Strings: 12, Instructions: 282registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 02172AF2: TerminateProcess.KERNEL32(00000000,?,0216DAB1), ref: 02172B02
                                    • Part of subcall function 02172AF2: WaitForSingleObject.KERNEL32(000000FF,?,0216DAB1), ref: 02172B15
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0216D7BF
                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0216D7D2
                                    • Part of subcall function 0217C6E9: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0217C808,00000000,00000000,?), ref: 0217C728
                                  • ShellExecuteW.SHELL32(00000000,00466118,00000000,00466478,00466478,00000000), ref: 0216DA66
                                  • ExitProcess.KERNEL32 ref: 0216DA72
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileProcess$CreateDeleteExecuteExitModuleNameObjectShellSingleTerminateWait
                                  • String ID: @qF$DqF@qF$HSG$On Error Resume Next$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$exepath$fso.DeleteFolder "$tMG$while fso.FileExists("$xdF$xpF
                                  • API String ID: 1359289687-3606043978
                                  • Opcode ID: b11b77b2f0911714beb0fd5241e56fe4edddd35cf8c0429911916082daeda097
                                  • Instruction ID: b99cf4e0392fc773bab12f5955ee5be3d7e0b81048789fae971e0bfacd494575
                                  • Opcode Fuzzy Hash: b11b77b2f0911714beb0fd5241e56fe4edddd35cf8c0429911916082daeda097
                                  • Instruction Fuzzy Hash: C191B4312883405FC315FB20EC98ABF73AAAFD4700F10442EB94A571A1EF755D59CE66
                                  Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                  • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                  • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                  • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                  • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                  • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                  • _wcslen.LIBCMT ref: 0041C1CC
                                  • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                  • GetLastError.KERNEL32 ref: 0041C204
                                  • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                  • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                  • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                  • GetLastError.KERNEL32 ref: 0041C261
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                  • String ID: ?
                                  • API String ID: 3941738427-1684325040
                                  • Opcode ID: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                  • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                  • Opcode Fuzzy Hash: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                  • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                  Function 0217C313 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlenW.KERNEL32(?), ref: 0217C32E
                                  • _memcmp.LIBVCRUNTIME ref: 0217C346
                                  • lstrlenW.KERNEL32(?), ref: 0217C35F
                                  • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0217C39A
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0217C3AD
                                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0217C3F1
                                  • lstrcmpW.KERNEL32(?,?), ref: 0217C40C
                                  • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0217C424
                                  • _wcslen.LIBCMT ref: 0217C433
                                  • FindVolumeClose.KERNEL32(?), ref: 0217C453
                                  • GetLastError.KERNEL32 ref: 0217C46B
                                  • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0217C498
                                  • lstrcatW.KERNEL32(?,?), ref: 0217C4B1
                                  • lstrcpyW.KERNEL32(?,?), ref: 0217C4C0
                                  • GetLastError.KERNEL32 ref: 0217C4C8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                  • String ID: ?
                                  • API String ID: 3941738427-1684325040
                                  • Opcode ID: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                  • Instruction ID: 4e90dc0f241fd055b6262d703e6a2a4ad62fb7795c4d1d2a089db1a0e1e35dcf
                                  • Opcode Fuzzy Hash: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                  • Instruction Fuzzy Hash: 45419172544306EBDB20DF64D848AABB7FCAB84715F10093BF546C2161EB70CA48CBE6
                                  Function 021AF714 Relevance: 27.4, APIs: 18, Instructions: 419COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
                                  • String ID:
                                  • API String ID: 2719235668-0
                                  • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                  • Instruction ID: 90c15083fa2ef7d44c65f301edef13a5fdbed35605d89247e5fb1962cec7ac9f
                                  • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                  • Instruction Fuzzy Hash: 6FD1487AD80301AFEB35AFB48D70BAE7BA9EF01314F14416DE94597680E7738942CB90
                                  Function 02178391 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 289threadinjectionprocessCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 021784B9
                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 021784D1
                                  • GetThreadContext.KERNEL32(?,00000000), ref: 021784E7
                                  • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0217850D
                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0217858F
                                  • TerminateProcess.KERNEL32(?,00000000), ref: 021785A3
                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 021785E3
                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 021786AD
                                  • SetThreadContext.KERNEL32(?,00000000), ref: 021786CA
                                  • ResumeThread.KERNEL32(?), ref: 021786D7
                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 021786EE
                                  • GetCurrentProcess.KERNEL32(?), ref: 021786F9
                                  • TerminateProcess.KERNEL32(?,00000000), ref: 02178714
                                  • GetLastError.KERNEL32 ref: 0217871C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                  • String ID: ntdll
                                  • API String ID: 3275803005-3337577438
                                  • Opcode ID: 6fe37197d8788220cf6427c040a72875e8f2824bd02e1a8f118f24072f5bfafb
                                  • Instruction ID: c710ddefa720c1d727b5c87cc024a4a9bdd5a27da64fe3a0562eabda65c4bf4a
                                  • Opcode Fuzzy Hash: 6fe37197d8788220cf6427c040a72875e8f2824bd02e1a8f118f24072f5bfafb
                                  • Instruction Fuzzy Hash: 77A15CB0644301BFDB209F64DD89F6ABBF8FF88745F040829F68996191E774D844CB69
                                  Function 0216D338 Relevance: 26.5, APIs: 4, Strings: 11, Instructions: 260registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 02172AF2: TerminateProcess.KERNEL32(00000000,?,0216DAB1), ref: 02172B02
                                    • Part of subcall function 02172AF2: WaitForSingleObject.KERNEL32(000000FF,?,0216DAB1), ref: 02172B15
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00475300,?,pth_unenc), ref: 0216D447
                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0216D45A
                                    • Part of subcall function 0217BC70: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,021642E3), ref: 0217BC97
                                  • ShellExecuteW.SHELL32(00000000,00466118,00000000,00466478,00466478,00000000), ref: 0216D6B4
                                  • ExitProcess.KERNEL32 ref: 0216D6BB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CurrentDeleteExecuteExitFileModuleNameObjectShellSingleTerminateWait
                                  • String ID: 0i$HSG$On Error Resume Next$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$exepath$fso.DeleteFolder "$pth_unenc$tMG$while fso.FileExists("$xdF
                                  • API String ID: 508158800-4104759656
                                  • Opcode ID: d6205cb3342822a358df1c006c01160228257a4d1d5cd29ca502a7be0f12cfe1
                                  • Instruction ID: 4951c9faf45fe7283954ebc357b4144c064a1fd95018c897ed47ad384d27113f
                                  • Opcode Fuzzy Hash: d6205cb3342822a358df1c006c01160228257a4d1d5cd29ca502a7be0f12cfe1
                                  • Instruction Fuzzy Hash: 1781A1712883405FC715FB20E858ABF73AAAFD0700F10482EB996571E1EF749E19CE96
                                  Function 00414DC1 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                  • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                  • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                  • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                  • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                  • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                  • String ID: EIA$\ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                  • API String ID: 2490988753-3346362794
                                  • Opcode ID: 93ac1047b93552b97dd98974212ca4d4f14522e3aac142c7c555de1a9c5e5d12
                                  • Instruction ID: 3afff981d8ce70f6205f85204df1f21ec1f12b20cff6a054e3a0857f0929e507
                                  • Opcode Fuzzy Hash: 93ac1047b93552b97dd98974212ca4d4f14522e3aac142c7c555de1a9c5e5d12
                                  • Instruction Fuzzy Hash: 3231C2B2906315ABD7209F65CC84EDF76DCAB84754F004A2AF984A3211D738D985CBAE
                                  Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$EnvironmentVariable$_wcschr
                                  • String ID:
                                  • API String ID: 3899193279-0
                                  • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                  • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                  • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                  • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                  Function 0041C720 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C786
                                  • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEnumOpen
                                  • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                  • API String ID: 1332880857-3714951968
                                  • Opcode ID: 8834d76765b8d9aa2aae2e6c3e4fc44c7e31d4deaeca63b3a5fa155628fd0460
                                  • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                  • Opcode Fuzzy Hash: 8834d76765b8d9aa2aae2e6c3e4fc44c7e31d4deaeca63b3a5fa155628fd0460
                                  • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                  Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$Info
                                  • String ID:
                                  • API String ID: 2509303402-0
                                  • Opcode ID: d11cf9d75a9b095113a5c4e7a536203a51778a2c4217635f9f2315e0a594c0ce
                                  • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                  • Opcode Fuzzy Hash: d11cf9d75a9b095113a5c4e7a536203a51778a2c4217635f9f2315e0a594c0ce
                                  • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                  Function 021A603E Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$Info
                                  • String ID:
                                  • API String ID: 2509303402-0
                                  • Opcode ID: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                  • Instruction ID: b9ecc8a7951f03da8775202232d06d197641e8ddbc5db1a7b72db17b05d57e19
                                  • Opcode Fuzzy Hash: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                  • Instruction Fuzzy Hash: 6FB1CE79940285AFDF11DFB8C8A0BEEBBF9BF48304F18806DE859A7241D73599458F60
                                  Function 00412AEF Relevance: 21.5, APIs: 9, Strings: 3, Instructions: 482sleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                  • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                  • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                  • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                  • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                  • Sleep.KERNEL32(00000064), ref: 00412ECF
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                  • String ID: /stext "$@TG$@TG
                                  • API String ID: 1223786279-723413999
                                  • Opcode ID: a90acd8d7071acfa2d0e9883792276cd2d83e9ecc9e4a0baa673cf908a2511cc
                                  • Instruction ID: 54c64e465a66050ec466d83b34d0c9889d7f3cdaa7358c1e9e14d2467042f0e2
                                  • Opcode Fuzzy Hash: a90acd8d7071acfa2d0e9883792276cd2d83e9ecc9e4a0baa673cf908a2511cc
                                  • Instruction Fuzzy Hash: 5B0268315083414AC325FB62D891AEFB3E5AFD0348F50483FF58A971E2EF785A49C65A
                                  Function 0216D09B Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 203COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 0216D0A9
                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0216D0C2
                                  • _wcslen.LIBCMT ref: 0216D188
                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0216D210
                                  • _wcslen.LIBCMT ref: 0216D268
                                  • CloseHandle.KERNEL32 ref: 0216D2CF
                                  • ShellExecuteW.SHELL32(00000000,00466118,00000000,00466478,00466478,00000001), ref: 0216D2ED
                                  • ExitProcess.KERNEL32 ref: 0216D304
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _wcslen$CreateDirectory$CloseExecuteExitHandleProcessShell
                                  • String ID: 0i$6$C:\Users\user\Desktop\YESOHDKMIm.exe$xdF
                                  • API String ID: 3303048660-382275413
                                  • Opcode ID: 85d80f90eb8936f4a33c434981be971280dc758254c4ba1c1b26a19f3a1d9b59
                                  • Instruction ID: 55c5522b6cc97b6db77994ba1fb5654b48c05918de3185da7963e92b8dadab7b
                                  • Opcode Fuzzy Hash: 85d80f90eb8936f4a33c434981be971280dc758254c4ba1c1b26a19f3a1d9b59
                                  • Instruction Fuzzy Hash: 1251E3213C87006FD618B734AC6CB7F739AAF84701F00482DF9059A1D1EFA99D25CB6A
                                  Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___free_lconv_mon.LIBCMT ref: 0045138A
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                  • _free.LIBCMT ref: 0045137F
                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                  • _free.LIBCMT ref: 004513A1
                                  • _free.LIBCMT ref: 004513B6
                                  • _free.LIBCMT ref: 004513C1
                                  • _free.LIBCMT ref: 004513E3
                                  • _free.LIBCMT ref: 004513F6
                                  • _free.LIBCMT ref: 00451404
                                  • _free.LIBCMT ref: 0045140F
                                  • _free.LIBCMT ref: 00451447
                                  • _free.LIBCMT ref: 0045144E
                                  • _free.LIBCMT ref: 0045146B
                                  • _free.LIBCMT ref: 00451483
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                  • String ID:
                                  • API String ID: 161543041-0
                                  • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                  • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                  • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                  • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                  Function 021B15AD Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___free_lconv_mon.LIBCMT ref: 021B15F1
                                    • Part of subcall function 021B07E9: _free.LIBCMT ref: 021B0806
                                    • Part of subcall function 021B07E9: _free.LIBCMT ref: 021B0818
                                    • Part of subcall function 021B07E9: _free.LIBCMT ref: 021B082A
                                    • Part of subcall function 021B07E9: _free.LIBCMT ref: 021B083C
                                    • Part of subcall function 021B07E9: _free.LIBCMT ref: 021B084E
                                    • Part of subcall function 021B07E9: _free.LIBCMT ref: 021B0860
                                    • Part of subcall function 021B07E9: _free.LIBCMT ref: 021B0872
                                    • Part of subcall function 021B07E9: _free.LIBCMT ref: 021B0884
                                    • Part of subcall function 021B07E9: _free.LIBCMT ref: 021B0896
                                    • Part of subcall function 021B07E9: _free.LIBCMT ref: 021B08A8
                                    • Part of subcall function 021B07E9: _free.LIBCMT ref: 021B08BA
                                    • Part of subcall function 021B07E9: _free.LIBCMT ref: 021B08CC
                                    • Part of subcall function 021B07E9: _free.LIBCMT ref: 021B08DE
                                  • _free.LIBCMT ref: 021B15E6
                                    • Part of subcall function 021A6A69: HeapFree.KERNEL32(00000000,00000000,?,021B0F56,?,00000000,?,00000000,?,021B11FA,?,00000007,?,?,021B1745,?), ref: 021A6A7F
                                    • Part of subcall function 021A6A69: GetLastError.KERNEL32(?,?,021B0F56,?,00000000,?,00000000,?,021B11FA,?,00000007,?,?,021B1745,?,?), ref: 021A6A91
                                  • _free.LIBCMT ref: 021B1608
                                  • _free.LIBCMT ref: 021B161D
                                  • _free.LIBCMT ref: 021B1628
                                  • _free.LIBCMT ref: 021B164A
                                  • _free.LIBCMT ref: 021B165D
                                  • _free.LIBCMT ref: 021B166B
                                  • _free.LIBCMT ref: 021B1676
                                  • _free.LIBCMT ref: 021B16AE
                                  • _free.LIBCMT ref: 021B16B5
                                  • _free.LIBCMT ref: 021B16D2
                                  • _free.LIBCMT ref: 021B16EA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                  • String ID:
                                  • API String ID: 161543041-0
                                  • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                  • Instruction ID: 1377734c0a7a1d503b1929d4a28046cc452c5d0de511f67e4a1b0e9967fc7667
                                  • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                  • Instruction Fuzzy Hash: 0B319E79680301AFDB22AB79D864BD673FAEF40350F19842DE45DD7150DFB4AD808B90
                                  Function 00408BB5 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                  • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                  • __aulldiv.LIBCMT ref: 00408D88
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                  • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                  • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                  • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                  • CloseHandle.KERNEL32(00000000), ref: 00409037
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                  • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                  • API String ID: 3086580692-2596673759
                                  • Opcode ID: 04e944009091fcf5e4ae1f74c90f70d34d60c4a705d129e755f40c0b4dcad768
                                  • Instruction ID: 2d1ece25e1b497defd969945f9de4b01d63c4d7912a1bb42583949d7b10afa87
                                  • Opcode Fuzzy Hash: 04e944009091fcf5e4ae1f74c90f70d34d60c4a705d129e755f40c0b4dcad768
                                  • Instruction Fuzzy Hash: 76B1A0316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB9B
                                  Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                    • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 0041374F
                                    • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00413768
                                    • Part of subcall function 00413733: RegCloseKey.ADVAPI32(?), ref: 00413773
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                  • ExitProcess.KERNEL32 ref: 0040D9FF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                  • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$HSG$Temp$exepath$open
                                  • API String ID: 1913171305-833065420
                                  • Opcode ID: f07d7b2f95756806177599d1f8f4961b197936d164d25737559c426f2532322c
                                  • Instruction ID: 050033375253242a90a907d975c9615f3488646990559cd5331657e2136e0730
                                  • Opcode Fuzzy Hash: f07d7b2f95756806177599d1f8f4961b197936d164d25737559c426f2532322c
                                  • Instruction Fuzzy Hash: 514139319001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E4ACA98
                                  Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                  • WSAGetLastError.WS2_32 ref: 00404A21
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                  • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                  • API String ID: 994465650-2151626615
                                  • Opcode ID: a9f52da9e66ed5cd7f1b931af44a3cf5b28ec7d3511071e0fd5312f2469806f1
                                  • Instruction ID: d7ad8a6a5323ad03425d5def7d05b30a9c8ce31cd4ccd690c712fe6c843f15aa
                                  • Opcode Fuzzy Hash: a9f52da9e66ed5cd7f1b931af44a3cf5b28ec7d3511071e0fd5312f2469806f1
                                  • Instruction Fuzzy Hash: AD41E8B575060277C61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                  Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                  • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                  • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                  • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                  Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00474F08,?,00000000,00474F08,00404CA8,00000000,00000000,00000000,00000000,00474F08,00404AC9), ref: 00404E38
                                  • SetEvent.KERNEL32(00000000,?,00000000,00474F08,00404CA8,00000000,00000000,00000000,00000000,00474F08,00404AC9), ref: 00404E43
                                  • CloseHandle.KERNEL32(00000000,?,00000000,00474F08,00404CA8,00000000,00000000,00000000,00000000,00474F08,00404AC9), ref: 00404E4C
                                  • closesocket.WS2_32(FFFFFFFF), ref: 00404E5A
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00474F08,00404CA8,00000000,00000000,00000000,00000000,00474F08,00404AC9), ref: 00404E91
                                  • SetEvent.KERNEL32(00000000,?,00000000,00474F08,00404CA8,00000000,00000000,00000000,00000000,00474F08,00404AC9), ref: 00404EA2
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00474F08,00404CA8,00000000,00000000,00000000,00000000,00474F08,00404AC9), ref: 00404EA9
                                  • SetEvent.KERNEL32(00000000,?,00000000,00474F08,00404CA8,00000000,00000000,00000000,00000000,00474F08,00404AC9), ref: 00404EBA
                                  • CloseHandle.KERNEL32(00000000,?,00000000,00474F08,00404CA8,00000000,00000000,00000000,00000000,00474F08,00404AC9), ref: 00404EBF
                                  • CloseHandle.KERNEL32(00000000,?,00000000,00474F08,00404CA8,00000000,00000000,00000000,00000000,00474F08,00404AC9), ref: 00404EC4
                                  • SetEvent.KERNEL32(00000000,?,00000000,00474F08,00404CA8,00000000,00000000,00000000,00000000,00474F08,00404AC9), ref: 00404ED1
                                  • CloseHandle.KERNEL32(00000000,?,00000000,00474F08,00404CA8,00000000,00000000,00000000,00000000,00474F08,00404AC9), ref: 00404ED6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                  • String ID:
                                  • API String ID: 3658366068-0
                                  • Opcode ID: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                  • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                  • Opcode Fuzzy Hash: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                  • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                  Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                  • GetLastError.KERNEL32 ref: 00455D6F
                                  • __dosmaperr.LIBCMT ref: 00455D76
                                  • GetFileType.KERNEL32(00000000), ref: 00455D82
                                  • GetLastError.KERNEL32 ref: 00455D8C
                                  • __dosmaperr.LIBCMT ref: 00455D95
                                  • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                  • CloseHandle.KERNEL32(?), ref: 00455EFF
                                  • GetLastError.KERNEL32 ref: 00455F31
                                  • __dosmaperr.LIBCMT ref: 00455F38
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                  • String ID: H
                                  • API String ID: 4237864984-2852464175
                                  • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                  • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                  • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                  • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                  Function 02172399 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 238threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcessId.KERNEL32 ref: 021723A8
                                    • Part of subcall function 02173B19: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 02173B27
                                    • Part of subcall function 02173B19: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0216C3F4,00466C58,00000001,000000AF,004660B4), ref: 02173B42
                                    • Part of subcall function 02173B19: RegCloseKey.ADVAPI32(004660B4,?,?,?,0216C3F4,00466C58,00000001,000000AF,004660B4), ref: 02173B4D
                                  • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 021723E8
                                  • CloseHandle.KERNEL32(00000000), ref: 021723F7
                                  • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 0217244D
                                  • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 021726BC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                  • String ID: (TG$0i$WDH
                                  • API String ID: 3018269243-1519029905
                                  • Opcode ID: 5e2c9192a2b0cb75254e7534c22423ef00316a0a2f71cd50fc63b55ddcb72ecb
                                  • Instruction ID: 66f78db74836aa26f9d87733273dbb761eab7bec00de6a6b12cf9e5acf0a8af7
                                  • Opcode Fuzzy Hash: 5e2c9192a2b0cb75254e7534c22423ef00316a0a2f71cd50fc63b55ddcb72ecb
                                  • Instruction Fuzzy Hash: CF718F316882006FC618FB74DC99DBF77BAAFD5700F50092EB98252190EF749A15CAA7
                                  Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID: \&G$\&G$`&G
                                  • API String ID: 269201875-253610517
                                  • Opcode ID: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                  • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                  • Opcode Fuzzy Hash: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                  • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                  Function 021B0D0C Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID: \&G$\&G$`&G
                                  • API String ID: 269201875-253610517
                                  • Opcode ID: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                  • Instruction ID: 5d28b87cab7a05391a6a4e29331154691292da2d2119988b51db770a633bb24d
                                  • Opcode Fuzzy Hash: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                  • Instruction Fuzzy Hash: 2361F579950205AFDB21DF68C841BDBBBF5EF48710F24816AE955EB290DB30AD41CB50
                                  Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 65535$udp
                                  • API String ID: 0-1267037602
                                  • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                  • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                  • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                  • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                  Function 02174E52 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 65535$udp
                                  • API String ID: 0-1267037602
                                  • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                  • Instruction ID: 7125df85ce7c3c4f658e55600a12ba7008462df9997a3b32e65c3d8c5536fe1b
                                  • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                  • Instruction Fuzzy Hash: 6751E435289301AFD3249A68D904B3F7BF6AFC4758F08082DFC9597291EB79C840D7A6
                                  Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __Init_thread_footer.LIBCMT ref: 0040AD73
                                  • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                  • GetForegroundWindow.USER32 ref: 0040AD84
                                  • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                  • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                  • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                    • Part of subcall function 0040A671: SetEvent.KERNEL32(00000000,?,00000000,0040B245,00000000), ref: 0040A69D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                  • String ID: [${ User has been idle for $ minutes }$]
                                  • API String ID: 911427763-3954389425
                                  • Opcode ID: b06ca0c711f551fa613fb528b9a86c1082eaad7740c8b83a56c6ee9751395190
                                  • Instruction ID: 1462e2e3b317a3feaa81e481452c264ee2198f2d95b6ea563507fc8e19ff55dc
                                  • Opcode Fuzzy Hash: b06ca0c711f551fa613fb528b9a86c1082eaad7740c8b83a56c6ee9751395190
                                  • Instruction Fuzzy Hash: 7F51E1716043419BC714FB62D846AAE7795AF84308F10093FF546A22E2EF7C9D44C69F
                                  Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                  • GetLastError.KERNEL32(?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                  • __dosmaperr.LIBCMT ref: 0043A926
                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                  • GetLastError.KERNEL32(?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                  • __dosmaperr.LIBCMT ref: 0043A963
                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401BD9,?), ref: 0043A9A6
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                  • __dosmaperr.LIBCMT ref: 0043A9B7
                                  • _free.LIBCMT ref: 0043A9C3
                                  • _free.LIBCMT ref: 0043A9CA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                  • String ID:
                                  • API String ID: 2441525078-0
                                  • Opcode ID: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                  • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                  • Opcode Fuzzy Hash: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                  • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                  Function 0219AB21 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,02161E40,?,00000050,00465DF0,00000000), ref: 0219AB79
                                  • GetLastError.KERNEL32(?,?,02161E40,?,00000050,00465DF0,00000000), ref: 0219AB86
                                  • __dosmaperr.LIBCMT ref: 0219AB8D
                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,02161E40,?,00000050,00465DF0,00000000), ref: 0219ABB9
                                  • GetLastError.KERNEL32(?,?,?,02161E40,?,00000050,00465DF0,00000000), ref: 0219ABC3
                                  • __dosmaperr.LIBCMT ref: 0219ABCA
                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,00465DF0,00000000,00000000,?,?,?,?,?,?,02161E40,?), ref: 0219AC0D
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,02161E40,?,00000050,00465DF0,00000000), ref: 0219AC17
                                  • __dosmaperr.LIBCMT ref: 0219AC1E
                                  • _free.LIBCMT ref: 0219AC2A
                                  • _free.LIBCMT ref: 0219AC31
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                  • String ID:
                                  • API String ID: 2441525078-0
                                  • Opcode ID: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                  • Instruction ID: f919d8f3f30e38f284796e4fed4bcfa276ed2a148ca142dea7c4fdccb4dfa92e
                                  • Opcode Fuzzy Hash: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                  • Instruction Fuzzy Hash: 3F31DE7684020EFFDF25AFA4DC54DAF7B6EEF04324B144128F9259A1A0EB31C954CBA0
                                  Function 0044ACC9 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 216COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,tC,0043EA74,?,?,?,0044AF1A,00000001,00000001,A4E85006), ref: 0044AD23
                                  • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0044AF1A,00000001,00000001,A4E85006,?,?,?), ref: 0044ADA9
                                  • __alloca_probe_16.LIBCMT ref: 0044AE40
                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,A4E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                  • __freea.LIBCMT ref: 0044AEB0
                                    • Part of subcall function 004461B8: RtlAllocateHeap.KERNEL32(00000000,00435349,?,?,004388C7,?,?,00000000,00476B60,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                  • __freea.LIBCMT ref: 0044AEB9
                                  • __freea.LIBCMT ref: 0044AEDE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                  • String ID: tC
                                  • API String ID: 3864826663-886086030
                                  • Opcode ID: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                                  • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                  • Opcode Fuzzy Hash: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                                  • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                  Function 0216F716 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 210processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0216F730
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0216F75B
                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0216F777
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0216F7F6
                                  • CloseHandle.KERNEL32(00000000,?,00000000), ref: 0216F805
                                    • Part of subcall function 0217C4D5: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0217C4ED
                                    • Part of subcall function 0217C4D5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0217C500
                                  • CloseHandle.KERNEL32(00000000), ref: 0216F910
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                  • String ID: 0i$xdF$xdF
                                  • API String ID: 3756808967-2017907653
                                  • Opcode ID: 3acc3f55b6397cee36b7d5ef666cd78527c930f9b8fa3a8dd2be36fd150b4bf2
                                  • Instruction ID: a606468824d32c895c661bdacff7719481c72036a8498a497b0048b61c5f6aea
                                  • Opcode Fuzzy Hash: 3acc3f55b6397cee36b7d5ef666cd78527c930f9b8fa3a8dd2be36fd150b4bf2
                                  • Instruction Fuzzy Hash: B37151311983419FD724FB20D898DBFB7A6AFD1304F50482DE986431A1EF319A5ACF96
                                  Function 021798C9 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 206COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0$1$2$3$4$5$6$7
                                  • API String ID: 0-3177665633
                                  • Opcode ID: 8290dbae049be2cdd206d8bf1c1fda6425e159576a2ff2ba4f12e613f6a6ac2b
                                  • Instruction ID: 412edbf9652b4a6d714aea06c2dfd8d62d4b8df6f48f8784c5ac73ac6109a930
                                  • Opcode Fuzzy Hash: 8290dbae049be2cdd206d8bf1c1fda6425e159576a2ff2ba4f12e613f6a6ac2b
                                  • Instruction Fuzzy Hash: AD719E705C9301AEE718EF20C854BAE7BA7AF94311F50885DF592671D0EB749A0CCBA3
                                  Function 0216A9C8 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 163sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00001388), ref: 0216A9E2
                                    • Part of subcall function 0216A917: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0216A9EF), ref: 0216A94D
                                    • Part of subcall function 0216A917: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0216A9EF), ref: 0216A95C
                                    • Part of subcall function 0216A917: Sleep.KERNEL32(00002710,?,?,?,0216A9EF), ref: 0216A989
                                    • Part of subcall function 0216A917: CloseHandle.KERNEL32(00000000,?,?,?,0216A9EF), ref: 0216A990
                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0216AA1E
                                  • GetFileAttributesW.KERNEL32(00000000), ref: 0216AA2F
                                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0216AA46
                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0216AAC0
                                    • Part of subcall function 0217C77D: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02164396,00465E84), ref: 0217C796
                                  • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,00000000,00000000,00000000), ref: 0216ABC9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                  • String ID: HSG$HSG$xdF
                                  • API String ID: 3795512280-1850865910
                                  • Opcode ID: ee43014d5746d14645f6668cadf5631493de7d4a0f01bd42126bf8b4894f61e4
                                  • Instruction ID: 288059e8a07838d04e58e12213fb653be2a391a26e1ac52d4862b3c375c60f0d
                                  • Opcode Fuzzy Hash: ee43014d5746d14645f6668cadf5631493de7d4a0f01bd42126bf8b4894f61e4
                                  • Instruction Fuzzy Hash: F4519E712843005FCB18BB70D86CABF779B9F95301F04492DB946A71E0EF359E298E96
                                  Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetEvent.KERNEL32(?,?), ref: 004054BF
                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                  • TranslateMessage.USER32(?), ref: 0040557E
                                  • DispatchMessageA.USER32(?), ref: 00405589
                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F88), ref: 00405641
                                  • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                  • String ID: CloseChat$DisplayMessage$GetMessage
                                  • API String ID: 2956720200-749203953
                                  • Opcode ID: 406689eb07ce060b1dcd97a74506ab079ccadf2d4c581598b986e42cef4983c7
                                  • Instruction ID: af141abdc89e6f99b360bf73ca1bd21391e8bea30a055eafc68b1e1601de11b4
                                  • Opcode Fuzzy Hash: 406689eb07ce060b1dcd97a74506ab079ccadf2d4c581598b986e42cef4983c7
                                  • Instruction Fuzzy Hash: 6F419E71604301ABCB14FB76DC5A86F37A9AB85704F40493EF516A32E1EF3C8905CB9A
                                  Function 02165707 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetEvent.KERNEL32(?,?), ref: 02165726
                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 021657D6
                                  • TranslateMessage.USER32(?), ref: 021657E5
                                  • DispatchMessageA.USER32(?), ref: 021657F0
                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F88), ref: 021658A8
                                  • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 021658E0
                                    • Part of subcall function 02164D08: send.WS2_32(?,00000000,00000000,00000000), ref: 02164D9D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                  • String ID: CloseChat$DisplayMessage$GetMessage
                                  • API String ID: 2956720200-749203953
                                  • Opcode ID: 406689eb07ce060b1dcd97a74506ab079ccadf2d4c581598b986e42cef4983c7
                                  • Instruction ID: 339fb1b43e2587487f1b7f661fd23e670c22c63706949f7a45930a4a5c225b2e
                                  • Opcode Fuzzy Hash: 406689eb07ce060b1dcd97a74506ab079ccadf2d4c581598b986e42cef4983c7
                                  • Instruction Fuzzy Hash: A9419C31684301AFCB24FB74DC5C87E37AAAB85700B80492DF91693194EF35D915CB96
                                  Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                  • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                  • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00417DE3
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                  • String ID: <$@$@VG$@VG$Temp
                                  • API String ID: 1704390241-1291085672
                                  • Opcode ID: 9a720f4f888f1525bdbf75a62ef7587c2160d9ec115db0d441fc7e9c2bd624ef
                                  • Instruction ID: 17e4c8e037c7e297ff37edeb8814921eaebe5ca95f3622e3753009d7d6553322
                                  • Opcode Fuzzy Hash: 9a720f4f888f1525bdbf75a62ef7587c2160d9ec115db0d441fc7e9c2bd624ef
                                  • Instruction Fuzzy Hash: 15417E319002199ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                  Function 02171103 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 02171110
                                  • int.LIBCPMT ref: 02171123
                                    • Part of subcall function 0216E363: std::_Lockit::_Lockit.LIBCPMT ref: 0216E374
                                    • Part of subcall function 0216E363: std::_Lockit::~_Lockit.LIBCPMT ref: 0216E38E
                                  • std::_Facet_Register.LIBCPMT ref: 02171163
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0217116C
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0217118A
                                  • __Init_thread_footer.LIBCMT ref: 021711CB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                  • String ID: <kG$@!G$@kG
                                  • API String ID: 3815856325-4100743575
                                  • Opcode ID: a775fd09b9bd59cd8d1293661eff86217fedb4cdc6fe336e067938c0c3205025
                                  • Instruction ID: c344c6d7f0bc8407afccf8c582b781bbef94a6386a5f750a5890c8707fe84dc7
                                  • Opcode Fuzzy Hash: a775fd09b9bd59cd8d1293661eff86217fedb4cdc6fe336e067938c0c3205025
                                  • Instruction Fuzzy Hash: F4213836980514AFCB14FB68D844DEE777BDF81720B61416AE908EB290DF31AA418FD4
                                  Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenClipboard.USER32 ref: 0041697C
                                  • EmptyClipboard.USER32 ref: 0041698A
                                  • CloseClipboard.USER32 ref: 00416990
                                  • OpenClipboard.USER32 ref: 00416997
                                  • GetClipboardData.USER32(0000000D), ref: 004169A7
                                  • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                  • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                  • CloseClipboard.USER32 ref: 004169BF
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                  • String ID: !D@
                                  • API String ID: 2172192267-604454484
                                  • Opcode ID: 714596017678f15f46549e3b50181fa6cb84449448661dd5f115107523fa2353
                                  • Instruction ID: 51ec5b3583c04982a71d168622c94cade283f75070810aedfe93923cca0dc87c
                                  • Opcode Fuzzy Hash: 714596017678f15f46549e3b50181fa6cb84449448661dd5f115107523fa2353
                                  • Instruction Fuzzy Hash: 41014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                  Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                  • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ControlManager
                                  • String ID:
                                  • API String ID: 221034970-0
                                  • Opcode ID: eb6abd722e0cae9a5b5ac2f6fd433bf2c3c2a2b9123b5e78852541010ca8cce1
                                  • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                  • Opcode Fuzzy Hash: eb6abd722e0cae9a5b5ac2f6fd433bf2c3c2a2b9123b5e78852541010ca8cce1
                                  • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                  Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 004481B5
                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                  • _free.LIBCMT ref: 004481C1
                                  • _free.LIBCMT ref: 004481CC
                                  • _free.LIBCMT ref: 004481D7
                                  • _free.LIBCMT ref: 004481E2
                                  • _free.LIBCMT ref: 004481ED
                                  • _free.LIBCMT ref: 004481F8
                                  • _free.LIBCMT ref: 00448203
                                  • _free.LIBCMT ref: 0044820E
                                  • _free.LIBCMT ref: 0044821C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                  • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                  • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                  • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                  Function 021A8408 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 021A841C
                                    • Part of subcall function 021A6A69: HeapFree.KERNEL32(00000000,00000000,?,021B0F56,?,00000000,?,00000000,?,021B11FA,?,00000007,?,?,021B1745,?), ref: 021A6A7F
                                    • Part of subcall function 021A6A69: GetLastError.KERNEL32(?,?,021B0F56,?,00000000,?,00000000,?,021B11FA,?,00000007,?,?,021B1745,?,?), ref: 021A6A91
                                  • _free.LIBCMT ref: 021A8428
                                  • _free.LIBCMT ref: 021A8433
                                  • _free.LIBCMT ref: 021A843E
                                  • _free.LIBCMT ref: 021A8449
                                  • _free.LIBCMT ref: 021A8454
                                  • _free.LIBCMT ref: 021A845F
                                  • _free.LIBCMT ref: 021A846A
                                  • _free.LIBCMT ref: 021A8475
                                  • _free.LIBCMT ref: 021A8483
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                  • Instruction ID: 8f58f7aacb989d02cc7955b5e31144802460d4016425246628bbf22cd5f7dd94
                                  • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                  • Instruction Fuzzy Hash: 7411927E640149EFCF01EFD5D850C993BAAEF44750F45C0AABA098B221DB35EE909F80
                                  Function 0040A761 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 163sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00001388), ref: 0040A77B
                                    • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                    • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                    • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                    • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                  • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                  • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,00000000,00000000,00000000), ref: 0040A962
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                  • String ID: HSG$HSG
                                  • API String ID: 3795512280-2729845973
                                  • Opcode ID: 66f46599578da9462cfc73df4298f3e368e9e17d46714e4cb5b61a7eab0f7c39
                                  • Instruction ID: b4a8632174cffc949347442128fe52ffedc09667b4c22c284aa084888e76bad6
                                  • Opcode Fuzzy Hash: 66f46599578da9462cfc73df4298f3e368e9e17d46714e4cb5b61a7eab0f7c39
                                  • Instruction Fuzzy Hash: AC518D716043015ACB15BB72C866ABE77AA9F80349F00483FF642B71E2DF7C9D09865E
                                  Function 0216AF78 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 156sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __Init_thread_footer.LIBCMT ref: 0216AFDA
                                  • Sleep.KERNEL32(000001F4), ref: 0216AFE5
                                  • GetForegroundWindow.USER32 ref: 0216AFEB
                                  • GetWindowTextLengthW.USER32(00000000), ref: 0216AFF4
                                  • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0216B028
                                  • Sleep.KERNEL32(000003E8), ref: 0216B0F6
                                    • Part of subcall function 0216A8D8: SetEvent.KERNEL32(00000000,?,00000000,0216B4AC,00000000), ref: 0216A904
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                  • String ID: [${ User has been idle for
                                  • API String ID: 911427763-3934435721
                                  • Opcode ID: 5ee2c78c8a8c2723ec7a8df9fd339e5f39d76bf293b8d952a53785ca8cbc84cd
                                  • Instruction ID: f1383c1988b4ae8b574d8856d8bc26ac2c4e3e427a335e3de966ad939f62d008
                                  • Opcode Fuzzy Hash: 5ee2c78c8a8c2723ec7a8df9fd339e5f39d76bf293b8d952a53785ca8cbc84cd
                                  • Instruction Fuzzy Hash: 1751C771688240AFC714FB64D89CA7E77A7AF84308F00092DF946E21A0DF349A65CB97
                                  Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlDecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DecodePointer
                                  • String ID: acos$asin$exp$log$log10$pow$sqrt
                                  • API String ID: 3527080286-3064271455
                                  • Opcode ID: d3e7b15c46cdd208759493adff4216d8049d52db36716e3e1ce652e173acd39f
                                  • Instruction ID: 9e278d4a377d0ea10dd73248deb0d867b2e8f6339126d6964ada8e5ca1a1e79f
                                  • Opcode Fuzzy Hash: d3e7b15c46cdd208759493adff4216d8049d52db36716e3e1ce652e173acd39f
                                  • Instruction Fuzzy Hash: AA515071900909DBCB10DF58E9481BDBBB0FB49306F924197D841A7296DB798928CB1E
                                  Function 02175028 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 109libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 02175077
                                  • LoadLibraryA.KERNEL32(?), ref: 021750B9
                                  • LoadLibraryA.KERNEL32(?), ref: 02175118
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 02175140
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad$AddressDirectoryProcSystem
                                  • String ID: IA$EIA$EIA$KA
                                  • API String ID: 4217395396-533031392
                                  • Opcode ID: 93ac1047b93552b97dd98974212ca4d4f14522e3aac142c7c555de1a9c5e5d12
                                  • Instruction ID: cac2b10faf911b78538c7226f7033cc8403b6d4865673159c6096f741265a48a
                                  • Opcode Fuzzy Hash: 93ac1047b93552b97dd98974212ca4d4f14522e3aac142c7c555de1a9c5e5d12
                                  • Instruction Fuzzy Hash: 5C31D3B5541315BBC320AF28CC88E9F77E9AF84745F454929FC8897211E734D9448AEA
                                  Function 02177F81 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 108filesynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 021781CE: __EH_prolog.LIBCMT ref: 021781D3
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 0217807E
                                  • CloseHandle.KERNEL32(00000000), ref: 02178087
                                  • DeleteFileA.KERNEL32(00000000), ref: 02178096
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 0217804A
                                    • Part of subcall function 02164D08: send.WS2_32(?,00000000,00000000,00000000), ref: 02164D9D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                  • String ID: <$@$@VG$@VG
                                  • API String ID: 1704390241-2205361588
                                  • Opcode ID: eea35f2c3a8d62de1aa52fd5462c584050f94ce4e194358ae086a1020c7aa3a8
                                  • Instruction ID: 4bee513e808ae3dda20d3fe866b4c84b20446efad9b054117e999901b5eb147c
                                  • Opcode Fuzzy Hash: eea35f2c3a8d62de1aa52fd5462c584050f94ce4e194358ae086a1020c7aa3a8
                                  • Instruction Fuzzy Hash: 2E41AE319802099FCB04FBA0DC59BFE7736AF20301F504269E90A660E4EF741A9ACF91
                                  Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                  • Sleep.KERNEL32(00000064), ref: 0041755C
                                  • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CreateDeleteExecuteShellSleep
                                  • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                  • API String ID: 1462127192-2001430897
                                  • Opcode ID: 37aa6dfc11f6c23b61123195fd4bee991378c13dd1bcd511b3cf646397b8e908
                                  • Instruction ID: 4d831fdf2c11e0d815db77489a542135a470e493f6e320739c61594aa9f7fbeb
                                  • Opcode Fuzzy Hash: 37aa6dfc11f6c23b61123195fd4bee991378c13dd1bcd511b3cf646397b8e908
                                  • Instruction Fuzzy Hash: A4313D71940119AADB04FBA1DC96DED7739AF50309F00017EF606731E2EF785A8ACA9C
                                  Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00472B28,00000000,?,00003000,00000004,00000000,00000001), ref: 00407418
                                  • GetCurrentProcess.KERNEL32(00472B28,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Users\user\Desktop\YESOHDKMIm.exe), ref: 004074D9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CurrentProcess
                                  • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                  • API String ID: 2050909247-4242073005
                                  • Opcode ID: a6b1f7e6a89e8d10aee47b8b65162d365cd1003091a90439fbe9ba5c5e211239
                                  • Instruction ID: b8c3dc73ce560081c95a6921e0e4b034ac7c55c8f908ce4a4bfc67d5bc942e58
                                  • Opcode Fuzzy Hash: a6b1f7e6a89e8d10aee47b8b65162d365cd1003091a90439fbe9ba5c5e211239
                                  • Instruction Fuzzy Hash: 7631C271604700ABD311EF65DE46F1677A8FB48315F10087EF509E6292DBB8B8418B6E
                                  Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                  • int.LIBCPMT ref: 00410EBC
                                    • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                    • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                  • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                  • __Init_thread_footer.LIBCMT ref: 00410F64
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                  • String ID: <kG$@kG
                                  • API String ID: 3815856325-1261746286
                                  • Opcode ID: a775fd09b9bd59cd8d1293661eff86217fedb4cdc6fe336e067938c0c3205025
                                  • Instruction ID: 0588f859592fb32d2b707c82d02c9514845f82bff388d80d729849e078334d39
                                  • Opcode Fuzzy Hash: a775fd09b9bd59cd8d1293661eff86217fedb4cdc6fe336e067938c0c3205025
                                  • Instruction Fuzzy Hash: 622107329005249BCB14FBAAD8429DE7769DF48324F21416FF904E72D1DBB9AD818BDC
                                  Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                    • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                    • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                    • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                  • lstrcpyn.KERNEL32(00474B70,Remcos,00000080), ref: 0041D558
                                  • Shell_NotifyIcon.SHELL32(00000000,00474B58), ref: 0041D56E
                                  • TranslateMessage.USER32(?), ref: 0041D57A
                                  • DispatchMessageA.USER32(?), ref: 0041D584
                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                  • String ID: Remcos
                                  • API String ID: 1970332568-165870891
                                  • Opcode ID: 731e0475cdd51c62647780fa2fa3280f65193767bc99efc51189d173a824088e
                                  • Instruction ID: c2fc9e39e559a2afed00746d39c192473857db467f2681b349ddfe36236392a3
                                  • Opcode Fuzzy Hash: 731e0475cdd51c62647780fa2fa3280f65193767bc99efc51189d173a824088e
                                  • Instruction Fuzzy Hash: 11015EB1840348EBD7109FA1EC4CFABBBBCABC5705F00406AF505921A1D7B8E885CB6D
                                  Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                  • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                  • Opcode Fuzzy Hash: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                  • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                  Function 021AD067 Relevance: 13.8, APIs: 9, Instructions: 300COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                  • Instruction ID: 5a284eb5751ce8e4c15df7ba6ba0b9de27ddcd9ee100b309d56ad84481fc6ccd
                                  • Opcode Fuzzy Hash: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                  • Instruction Fuzzy Hash: ECC136B8E84749AFCF15DFA8E860BAE7BB5BF09304F044199E814A7391C7749941CFA1
                                  Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                  • __alloca_probe_16.LIBCMT ref: 00453F6A
                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                  • __alloca_probe_16.LIBCMT ref: 00454014
                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                    • Part of subcall function 004461B8: RtlAllocateHeap.KERNEL32(00000000,00435349,?,?,004388C7,?,?,00000000,00476B60,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                  • __freea.LIBCMT ref: 00454083
                                  • __freea.LIBCMT ref: 0045408F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                  • String ID:
                                  • API String ID: 201697637-0
                                  • Opcode ID: 3cd8063f553076ce798424c5fc2191fe96cf15845bda9c8b0815eea935c1a584
                                  • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                  • Opcode Fuzzy Hash: 3cd8063f553076ce798424c5fc2191fe96cf15845bda9c8b0815eea935c1a584
                                  • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                  Function 02172D56 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 482fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 02172D6F
                                    • Part of subcall function 0217BC70: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,021642E3), ref: 0217BC97
                                    • Part of subcall function 0217880A: CloseHandle.KERNEL32(0216435C,?,?,0216435C,00465E84), ref: 02178820
                                    • Part of subcall function 0217880A: CloseHandle.KERNEL32(00465E84,?,?,0216435C,00465E84), ref: 02178829
                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 02173067
                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 0217309E
                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 021730DA
                                    • Part of subcall function 02164D08: send.WS2_32(?,00000000,00000000,00000000), ref: 02164D9D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                  • String ID: ,aF$@TG$@TG
                                  • API String ID: 1937857116-1509070744
                                  • Opcode ID: a90acd8d7071acfa2d0e9883792276cd2d83e9ecc9e4a0baa673cf908a2511cc
                                  • Instruction ID: b1e1ce7ad468175003f74b593285ec5348e6b1ed5a627d6d8002c658b5352705
                                  • Opcode Fuzzy Hash: a90acd8d7071acfa2d0e9883792276cd2d83e9ecc9e4a0baa673cf908a2511cc
                                  • Instruction Fuzzy Hash: 010220315883809FC329FB60D898AFFB3E6AFD4340F50492DE99A47194EF705A59CE52
                                  Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474F08,?,0043CE65,FF8BC35D,00474F08,00474F08), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • _memcmp.LIBVCRUNTIME ref: 004454A4
                                  • _free.LIBCMT ref: 00445515
                                  • _free.LIBCMT ref: 0044552E
                                  • _free.LIBCMT ref: 00445560
                                  • _free.LIBCMT ref: 00445569
                                  • _free.LIBCMT ref: 00445575
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorLast$_abort_memcmp
                                  • String ID: C
                                  • API String ID: 1679612858-1037565863
                                  • Opcode ID: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                                  • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                  • Opcode Fuzzy Hash: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                                  • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                  Function 021A5461 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 021A84FC: GetLastError.KERNEL32(?,0219F9D7,0219AADC,0219F9D7,00474F08,?,0219D0CC,FF8BC35D,00474F08,00474F08), ref: 021A8500
                                    • Part of subcall function 021A84FC: _free.LIBCMT ref: 021A8533
                                    • Part of subcall function 021A84FC: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 021A8574
                                    • Part of subcall function 021A84FC: _abort.LIBCMT ref: 021A857A
                                  • _memcmp.LIBVCRUNTIME ref: 021A570B
                                  • _free.LIBCMT ref: 021A577C
                                  • _free.LIBCMT ref: 021A5795
                                  • _free.LIBCMT ref: 021A57C7
                                  • _free.LIBCMT ref: 021A57D0
                                  • _free.LIBCMT ref: 021A57DC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorLast$_abort_memcmp
                                  • String ID: C
                                  • API String ID: 1679612858-1037565863
                                  • Opcode ID: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                                  • Instruction ID: 281653cf43ac85adf4f7b39e6073267fdee8acb8056a3136c8cdb598e33c6759
                                  • Opcode Fuzzy Hash: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                                  • Instruction Fuzzy Hash: AFB12979E45219EFDB24DF18C894BADB7B6FB48314F5085AAD849A7250E730AE90CF40
                                  Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: tcp$udp
                                  • API String ID: 0-3725065008
                                  • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                  • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                  • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                  • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                  Function 00411530 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Eventinet_ntoa
                                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                  • API String ID: 3578746661-168337528
                                  • Opcode ID: 404f35b90608a89b0d3f03aab107b3c04e7cde7649badd6db9837dedf6a72447
                                  • Instruction ID: cd9a01f22de2d9f6a9994d78948339ea64d6c0f71f497d0a384e35af32d82467
                                  • Opcode Fuzzy Hash: 404f35b90608a89b0d3f03aab107b3c04e7cde7649badd6db9837dedf6a72447
                                  • Instruction Fuzzy Hash: 0E51C531A042015BC724FB36D95AAAE36A5AB80344F40453FF606576F2EF7C8985C7DE
                                  Function 02171797 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Eventinet_ntoa
                                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                  • API String ID: 3578746661-168337528
                                  • Opcode ID: 404f35b90608a89b0d3f03aab107b3c04e7cde7649badd6db9837dedf6a72447
                                  • Instruction ID: 0b6cd220f8fcb462d8963c80262d0cda6ea44da4c658994182fb5e6951766e24
                                  • Opcode Fuzzy Hash: 404f35b90608a89b0d3f03aab107b3c04e7cde7649badd6db9837dedf6a72447
                                  • Instruction Fuzzy Hash: 2D51E571A84300AFC728FB34D91DA7E37B6AB91340F404529E90A872E4EF748A55CFD6
                                  Function 0217B33F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 180synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0217B434
                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0217B470
                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000), ref: 0217B486
                                  • SetEvent.KERNEL32 ref: 0217B511
                                  • WaitForSingleObject.KERNEL32(000001F4), ref: 0217B522
                                  • CloseHandle.KERNEL32 ref: 0217B532
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Event$CloseCreateExistsFileHandleObjectPathSendSingleStringWait
                                  • String ID: open "
                                  • API String ID: 1811012380-3219617982
                                  • Opcode ID: a47143f6857cc49f95d44a5693e9bb1928780c6132feda829b940c4e1b3e7c60
                                  • Instruction ID: 140fa54fe30b75037418ffe297f58bdb1924f48b357135846ef68a6ec554a5f5
                                  • Opcode Fuzzy Hash: a47143f6857cc49f95d44a5693e9bb1928780c6132feda829b940c4e1b3e7c60
                                  • Instruction Fuzzy Hash: 9551B3B12C82446ED714BB30DC95EBF37AEABD0744F10042EF556931A0EF318E49CA66
                                  Function 0216A682 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 112keyboardthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetForegroundWindow.USER32 ref: 0216A6B8
                                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 0216A6C4
                                  • GetKeyboardLayout.USER32(00000000), ref: 0216A6CB
                                  • GetKeyState.USER32(00000010), ref: 0216A6D5
                                  • GetKeyboardState.USER32(?), ref: 0216A6E0
                                  • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0216A79C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                                  • String ID: (kG
                                  • API String ID: 3566172867-2813241365
                                  • Opcode ID: 31ed79bda99ad10420f5864c73503205d5e880a6a674e4152aa1d5376154a4ca
                                  • Instruction ID: 193246872a1839078ee743c40766fd961a9e174678e6991a106f86662f8a1f3d
                                  • Opcode Fuzzy Hash: 31ed79bda99ad10420f5864c73503205d5e880a6a674e4152aa1d5376154a4ca
                                  • Instruction Fuzzy Hash: 6D317E72544308FFD710DF90DC84FABBBECAB88714F00082AB645D61A0E7B1E958CB96
                                  Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EF0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                  • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                  • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                  • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                  • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                    • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00474F08,00404C49,00000000,00000000,00000000,00000000,00474F08,00404AC9), ref: 00404BA5
                                    • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                  • String ID: .part
                                  • API String ID: 1303771098-3499674018
                                  • Opcode ID: e7cafca0780e8310386d8ce0e2b4e9b02ff549ab184a3408e64b8b6c6c25ff2e
                                  • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                  • Opcode Fuzzy Hash: e7cafca0780e8310386d8ce0e2b4e9b02ff549ab184a3408e64b8b6c6c25ff2e
                                  • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                  Function 02177F7D Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 102filesynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 021781CE: __EH_prolog.LIBCMT ref: 021781D3
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 0217807E
                                  • CloseHandle.KERNEL32(00000000), ref: 02178087
                                  • DeleteFileA.KERNEL32(00000000), ref: 02178096
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 0217804A
                                    • Part of subcall function 02164D08: send.WS2_32(?,00000000,00000000,00000000), ref: 02164D9D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                  • String ID: <$@$@VG
                                  • API String ID: 1704390241-1844614265
                                  • Opcode ID: a7ccbf212e0a0af7567c3739942aa45154892a8531320463d144bdb20d29dfac
                                  • Instruction ID: dc9fa3fc6e7b3a964b8b59c02f8d779eb18e0174df8b0108a92e00f8134f0729
                                  • Opcode Fuzzy Hash: a7ccbf212e0a0af7567c3739942aa45154892a8531320463d144bdb20d29dfac
                                  • Instruction Fuzzy Hash: FE318B31D802199FCB04FBA0DC59BFE7736AF60301F514268E90A660A4EF741E9ACF91
                                  Function 00401B8F Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • _strftime.LIBCMT ref: 00401BD4
                                    • Part of subcall function 00401CE9: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401D55
                                  • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401C86
                                  • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CC4
                                  • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CD3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                  • String ID: %Y-%m-%d %H.%M$.wav$tMG
                                  • API String ID: 3809562944-3627046146
                                  • Opcode ID: 210fd9ba1251f706d0f6ced8dacb23af96e0d20cc0fe8c7829aa69d3c0beebe0
                                  • Instruction ID: 77224d9c3c18060e3821781750c24aeed92f5db76bec914a8a88ddbccf287b9a
                                  • Opcode Fuzzy Hash: 210fd9ba1251f706d0f6ced8dacb23af96e0d20cc0fe8c7829aa69d3c0beebe0
                                  • Instruction Fuzzy Hash: 5F3181315043019FC325EB62DD46A9A77A8FB84319F40443EF149A31F2EFB89949CB9A
                                  Function 0216A55A Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0216A575
                                  • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0216A583
                                  • GetLastError.KERNEL32 ref: 0216A58F
                                    • Part of subcall function 0217B7E7: GetLocalTime.KERNEL32(00000000), ref: 0217B801
                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0216A5DD
                                  • TranslateMessage.USER32(?), ref: 0216A5EC
                                  • DispatchMessageA.USER32(?), ref: 0216A5F7
                                  Strings
                                  • Keylogger initialization failure: error , xrefs: 0216A5A3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                  • String ID: Keylogger initialization failure: error
                                  • API String ID: 3219506041-952744263
                                  • Opcode ID: f6438d0ece582153da91c0d5bff560373b785e456ae076c588142eaef4cdec3b
                                  • Instruction ID: 3cdf2c56ad14042639e9411489ab74e8d7b6eacc16c821273c697de955feb722
                                  • Opcode Fuzzy Hash: f6438d0ece582153da91c0d5bff560373b785e456ae076c588142eaef4cdec3b
                                  • Instruction Fuzzy Hash: 5B118C72584201EFCB10BB759D0D96B77ADEF95612B50057DF882D2190EF30D920CBAA
                                  Function 0041CE2C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • AllocConsole.KERNEL32(00475348), ref: 0041CE35
                                  • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                  • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                  • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Console$Window$AllocOutputShow
                                  • String ID: Remcos v$5.2.0 Pro$CONOUT$
                                  • API String ID: 4067487056-793934204
                                  • Opcode ID: 4ac208d8a2a9dd681627466f3850d62ccb8bf7ad48dd9727624a0f6f50ade13e
                                  • Instruction ID: a031bdd2f27af694b11ce09d1e3c688e218bb3586dee27dfc95755d0e541b829
                                  • Opcode Fuzzy Hash: 4ac208d8a2a9dd681627466f3850d62ccb8bf7ad48dd9727624a0f6f50ade13e
                                  • Instruction Fuzzy Hash: 2D014471A80304BBD610F7F19D8BF9EB7AC9B18B05F500527BA04A70D2EB6DD944466E
                                  Function 02167502 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 40COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0i$C:\Users\user\Desktop\YESOHDKMIm.exe$Rmc-T59BEJ$xdF
                                  • API String ID: 0-632898049
                                  • Opcode ID: 6266df8f63f07d9ec3e284de14b260bcf750c81262affdfdd67307fbc2c8eb3d
                                  • Instruction ID: 3cbb47f8c1a8a4253726478a0728d507fda92b73a671feb317d9739d16a41da9
                                  • Opcode Fuzzy Hash: 6266df8f63f07d9ec3e284de14b260bcf750c81262affdfdd67307fbc2c8eb3d
                                  • Instruction Fuzzy Hash: 2CF0F6B0680111AFDB102F305D1C77D3696D74976AF004535F546EA2E1EBA44893CA18
                                  Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendInput.USER32 ref: 00419A25
                                  • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                  • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                    • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InputSend$Virtual
                                  • String ID:
                                  • API String ID: 1167301434-0
                                  • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                  • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                  • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                  • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                  Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __freea$__alloca_probe_16_free
                                  • String ID: a/p$am/pm$h{D
                                  • API String ID: 2936374016-2303565833
                                  • Opcode ID: 4ddb7e6ff69264204235b909ea28f14837368a743d4617b198cabd7c05983ebc
                                  • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                  • Opcode Fuzzy Hash: 4ddb7e6ff69264204235b909ea28f14837368a743d4617b198cabd7c05983ebc
                                  • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                  Function 021A9477 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 021A94F9
                                  • _free.LIBCMT ref: 021A951D
                                  • _free.LIBCMT ref: 021A96A4
                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 021A96B6
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 021A972E
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 021A975B
                                  • _free.LIBCMT ref: 021A9870
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                  • String ID:
                                  • API String ID: 314583886-0
                                  • Opcode ID: 99b9f95825b3d3947f98974b62c5657870841952fc290d3d865075dfb712b2e8
                                  • Instruction ID: 2735c79908bad8507e6e395eee81a3be677222aaa1180cc7631618a717a2210b
                                  • Opcode Fuzzy Hash: 99b9f95825b3d3947f98974b62c5657870841952fc290d3d865075dfb712b2e8
                                  • Instruction Fuzzy Hash: 84C15879980245AFDF24DF78DD60BAE7BFAEF45310F1445AAD4499B280E7318AC1CB90
                                  Function 021B406A Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,021B4343,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 021B4116
                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,021B4343,00000000,00000000,?,00000001,?,?,?,?), ref: 021B4199
                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,021B4343,?,021B4343,00000000,00000000,?,00000001,?,?,?,?), ref: 021B422C
                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,021B4343,00000000,00000000,?,00000001,?,?,?,?), ref: 021B4243
                                    • Part of subcall function 021A641F: RtlAllocateHeap.NTDLL(00000000,021955B0,?), ref: 021A6451
                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,021B4343,00000000,00000000,?,00000001,?,?,?,?), ref: 021B42BF
                                  • __freea.LIBCMT ref: 021B42EA
                                  • __freea.LIBCMT ref: 021B42F6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                  • String ID:
                                  • API String ID: 2829977744-0
                                  • Opcode ID: 24d135ac0f9138e255d98317baa41a59b13291ee02cbd6844a619640bdede200
                                  • Instruction ID: a14a4811f8a17bb46250575f076902f532688d9f636e76eb9c8c63696aa0e020
                                  • Opcode Fuzzy Hash: 24d135ac0f9138e255d98317baa41a59b13291ee02cbd6844a619640bdede200
                                  • Instruction Fuzzy Hash: 7491D671E802169FDF269FA4DC60EEEBBB5AF09314F058169ED11E7292D735D840CB60
                                  Function 02174BAC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 225COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: udp
                                  • API String ID: 0-4243565622
                                  • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                  • Instruction ID: b4bd09295744bc2090351cb7db6b91223be8aa05def9c45acd16e3f25ca5bcb9
                                  • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                  • Instruction Fuzzy Hash: DA7187746883068FDB29CF18C48462BBBF1EBD8355F15482EF89587260EB75C945CB92
                                  Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004461B8: RtlAllocateHeap.KERNEL32(00000000,00435349,?,?,004388C7,?,?,00000000,00476B60,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                  • _free.LIBCMT ref: 00444E87
                                  • _free.LIBCMT ref: 00444E9E
                                  • _free.LIBCMT ref: 00444EBD
                                  • _free.LIBCMT ref: 00444ED8
                                  • _free.LIBCMT ref: 00444EEF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$AllocateHeap
                                  • String ID: KED
                                  • API String ID: 3033488037-2133951994
                                  • Opcode ID: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                  • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                  • Opcode Fuzzy Hash: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                  • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                  Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                  • __fassign.LIBCMT ref: 0044B4F9
                                  • __fassign.LIBCMT ref: 0044B514
                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                  • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B559
                                  • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B592
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                  • String ID:
                                  • API String ID: 1324828854-0
                                  • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                  • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                  • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                  • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                  Function 021AB6A3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,021ABE18,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 021AB6E5
                                  • __fassign.LIBCMT ref: 021AB760
                                  • __fassign.LIBCMT ref: 021AB77B
                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 021AB7A1
                                  • WriteFile.KERNEL32(?,FF8BC35D,00000000,021ABE18,00000000,?,?,?,?,?,?,?,?,?,021ABE18,?), ref: 021AB7C0
                                  • WriteFile.KERNEL32(?,?,00000001,021ABE18,00000000,?,?,?,?,?,?,?,?,?,021ABE18,?), ref: 021AB7F9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                  • String ID:
                                  • API String ID: 1324828854-0
                                  • Opcode ID: df6090bc8f26b7e29a48799c2f63ef8664aacbe2c579135c1419eb37ea41631a
                                  • Instruction ID: 9c63eb9565bf1e7a71bf44e7ffdeae104daf8045bc58c0841649b2fb99a287e5
                                  • Opcode Fuzzy Hash: df6090bc8f26b7e29a48799c2f63ef8664aacbe2c579135c1419eb37ea41631a
                                  • Instruction Fuzzy Hash: 2651E374A44249AFCB10CFA8DCA0BEEBBF4FF18304F14412AE955E3291E7709A41CB60
                                  Function 0216DAA1 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 148COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 02172AF2: TerminateProcess.KERNEL32(00000000,?,0216DAB1), ref: 02172B02
                                    • Part of subcall function 02172AF2: WaitForSingleObject.KERNEL32(000000FF,?,0216DAB1), ref: 02172B15
                                    • Part of subcall function 0217399A: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 021739B6
                                    • Part of subcall function 0217399A: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 021739CF
                                    • Part of subcall function 0217399A: RegCloseKey.ADVAPI32(?), ref: 021739DA
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0216DAFB
                                  • ShellExecuteW.SHELL32(00000000,00466118,00000000,00466478,00466478,00000000), ref: 0216DC5A
                                  • ExitProcess.KERNEL32 ref: 0216DC66
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                  • String ID: HSG$exepath$xdF
                                  • API String ID: 1913171305-3541563599
                                  • Opcode ID: 6ddad64b6f6f531a1692a3034fd339a50ae91ac75a842a785093bcba9e23503d
                                  • Instruction ID: 9012ce4af59dab5b696bc42ac147127589faa4b23ad922e32de4932e623fd859
                                  • Opcode Fuzzy Hash: 6ddad64b6f6f531a1692a3034fd339a50ae91ac75a842a785093bcba9e23503d
                                  • Instruction Fuzzy Hash: 184181319941186FCB19FB60DC98DFE773AAF50700F10016AE906A71A0EF745E56CF94
                                  Function 02164B2F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 144networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • connect.WS2_32(FFFFFFFF,00000000,00000000), ref: 02164B47
                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 02164C67
                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 02164C75
                                  • WSAGetLastError.WS2_32 ref: 02164C88
                                    • Part of subcall function 0217B7E7: GetLocalTime.KERNEL32(00000000), ref: 0217B801
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                  • String ID: Connection Failed: $TLS Handshake... |
                                  • API String ID: 994465650-1510355367
                                  • Opcode ID: 2d49116b9c675fc5002ccfaaed315144ad6d64ba8ccd8faf84a893bd454578e1
                                  • Instruction ID: fe8f9b21bab4a6afe604fd60986a9de20a4659790b8c0d2462d98bafbeb95f45
                                  • Opcode Fuzzy Hash: 2d49116b9c675fc5002ccfaaed315144ad6d64ba8ccd8faf84a893bd454578e1
                                  • Instruction Fuzzy Hash: 9541C561BC06057FCB287B7DCD5EA3D7B27AF86304B40015AD80247A95EF6699308BE3
                                  Function 0040186A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __Init_thread_footer.LIBCMT ref: 004018BE
                                  • RtlExitUserThread.KERNEL32(00000000), ref: 004018F6
                                  • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EF0,00000000), ref: 00401A04
                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitHeaderInit_thread_footerThreadUnprepareUser__onexitwave
                                  • String ID: `kG$hMG$kG
                                  • API String ID: 1265842484-3851552405
                                  • Opcode ID: e7d59365cf8a2a51c340e4573cf07ad470a5e8a59a5c5c9771ed2099c48a02bd
                                  • Instruction ID: dc699b77c08b599092ddf19de7d80486fcd8c0a7edd7622242773fc29a9484b7
                                  • Opcode Fuzzy Hash: e7d59365cf8a2a51c340e4573cf07ad470a5e8a59a5c5c9771ed2099c48a02bd
                                  • Instruction Fuzzy Hash: 3441C2312042009BC324FB36DD96ABE73A6AB85354F00453FF54AA61F1DF38AD4AC61E
                                  Function 02161AD1 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __Init_thread_footer.LIBCMT ref: 02161B25
                                  • RtlExitUserThread.NTDLL(00000000), ref: 02161B5D
                                  • waveInUnprepareHeader.WINMM(00001E40,00000020,00000000,?,00000020,00474EF0,00000000), ref: 02161C6B
                                    • Part of subcall function 02194A68: __onexit.LIBCMT ref: 02194A6E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitHeaderInit_thread_footerThreadUnprepareUser__onexitwave
                                  • String ID: `kG$hMG$kG
                                  • API String ID: 1265842484-3851552405
                                  • Opcode ID: e7d59365cf8a2a51c340e4573cf07ad470a5e8a59a5c5c9771ed2099c48a02bd
                                  • Instruction ID: 84aa470bfbed08e922509364231d5b05479dd5a0868b4b8c7a9fef286dace410
                                  • Opcode Fuzzy Hash: e7d59365cf8a2a51c340e4573cf07ad470a5e8a59a5c5c9771ed2099c48a02bd
                                  • Instruction Fuzzy Hash: 6A41C6316842409FC324FB34ED98AFF73A7AB95310F10452EE459861E0EF30A965CE55
                                  Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750F4), ref: 00413678
                                    • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                    • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                    • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                  • _wcslen.LIBCMT ref: 0041B7F4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                  • String ID: .exe$HSG$http\shell\open\command$program files (x86)\$program files\
                                  • API String ID: 3286818993-930133217
                                  • Opcode ID: 98e5383603199a3ae91f152b580e0980a92f5ba97d9c345e2d64d7e8863b9e47
                                  • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                  • Opcode Fuzzy Hash: 98e5383603199a3ae91f152b580e0980a92f5ba97d9c345e2d64d7e8863b9e47
                                  • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                  Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                    • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                    • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                  • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                  • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                  • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                  • API String ID: 1133728706-4073444585
                                  • Opcode ID: a976107ae4362f42920dfdb3ecba022a246b7b1703a55ed826806908a238449e
                                  • Instruction ID: 7718d61ab729039ae94473664947c91a52367f601ff6055b29c84dcba8ed2574
                                  • Opcode Fuzzy Hash: a976107ae4362f42920dfdb3ecba022a246b7b1703a55ed826806908a238449e
                                  • Instruction Fuzzy Hash: E7215230A40219A6CB14F7F1CC969EE7729AF50744F80017FE502B71D1EB7D6945C6DA
                                  Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                  • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                  • Opcode Fuzzy Hash: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                  • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                  Function 021B6E3A Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                  • Instruction ID: 92fbba3a7c89d51cba97325369e388bfb05a557eef6c8215ebbd078328bce246
                                  • Opcode Fuzzy Hash: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                  • Instruction Fuzzy Hash: 8A11C07A585295AFDF15BFB6DC04EAB3AADDF85760B214538F815C7150DB31C800CBA0
                                  Function 00401A6D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401A7D
                                  • waveInOpen.WINMM(00472AC0,000000FF,00472AC8,Function_00001B8F,00000000,00000000,00000024), ref: 00401B13
                                  • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401B67
                                  • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401B76
                                  • waveInStart.WINMM ref: 00401B82
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                  • String ID: tMG
                                  • API String ID: 1356121797-30866661
                                  • Opcode ID: fcff18681eae06644500fa2447b05236e1dac46e0004316a84fd1a613709cab6
                                  • Instruction ID: cbef553d477d36f78321a165484ecc4410fcecc505b8f9aca62d01b994c6c3e6
                                  • Opcode Fuzzy Hash: fcff18681eae06644500fa2447b05236e1dac46e0004316a84fd1a613709cab6
                                  • Instruction Fuzzy Hash: 8E2148716042019FC7299F6AEE09A697BAAFB84711B04403EE10DD76F1DBF848C5CB2C
                                  Function 02161CD4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 02161CE4
                                  • waveInOpen.WINMM(00472AC0,000000FF,00472AC8,00401B8F,00000000,00000000,00000024), ref: 02161D7A
                                  • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 02161DCE
                                  • waveInAddBuffer.WINMM(00472A88,00000020), ref: 02161DDD
                                  • waveInStart.WINMM ref: 02161DE9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                  • String ID: tMG
                                  • API String ID: 1356121797-30866661
                                  • Opcode ID: fcff18681eae06644500fa2447b05236e1dac46e0004316a84fd1a613709cab6
                                  • Instruction ID: 0467022d8f46d119c1fe533ce0cabf4dcd8005f6568ec90a4c2ca62d9e08a668
                                  • Opcode Fuzzy Hash: fcff18681eae06644500fa2447b05236e1dac46e0004316a84fd1a613709cab6
                                  • Instruction Fuzzy Hash: 56214A716442109FC7299F69EE08A697BA6FB94711B04803AE10DC76B0DBF448C5CB2C
                                  Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                  • _free.LIBCMT ref: 00450FC8
                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                  • _free.LIBCMT ref: 00450FD3
                                  • _free.LIBCMT ref: 00450FDE
                                  • _free.LIBCMT ref: 00451032
                                  • _free.LIBCMT ref: 0045103D
                                  • _free.LIBCMT ref: 00451048
                                  • _free.LIBCMT ref: 00451053
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                  • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                  • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                  • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                  Function 021B11E1 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 021B0F28: _free.LIBCMT ref: 021B0F51
                                  • _free.LIBCMT ref: 021B122F
                                    • Part of subcall function 021A6A69: HeapFree.KERNEL32(00000000,00000000,?,021B0F56,?,00000000,?,00000000,?,021B11FA,?,00000007,?,?,021B1745,?), ref: 021A6A7F
                                    • Part of subcall function 021A6A69: GetLastError.KERNEL32(?,?,021B0F56,?,00000000,?,00000000,?,021B11FA,?,00000007,?,?,021B1745,?,?), ref: 021A6A91
                                  • _free.LIBCMT ref: 021B123A
                                  • _free.LIBCMT ref: 021B1245
                                  • _free.LIBCMT ref: 021B1299
                                  • _free.LIBCMT ref: 021B12A4
                                  • _free.LIBCMT ref: 021B12AF
                                  • _free.LIBCMT ref: 021B12BA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                  • Instruction ID: 0266c36cb79161ed5ad99e7f9a1edbbd5ab7b08177bfa2bac958b23734841c76
                                  • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                  • Instruction Fuzzy Hash: CA110D75681B44AFD961B7B0CC09FCBB7AE9F48700F448C1DB29AA6090DB69E9464E50
                                  Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                  • int.LIBCPMT ref: 004111BE
                                    • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                    • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                  • std::_Facet_Register.LIBCPMT ref: 004111FE
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                  • String ID: 8mG
                                  • API String ID: 2536120697-3990007011
                                  • Opcode ID: d6f56902d4e8762935de702d4c1b953921ac7c6d7eb456f7c36ab316a66f2fb3
                                  • Instruction ID: 3a14b803bc510f5ed1108d30ac07207671fc4f07faef22c9ffd8c11cb1ae2def
                                  • Opcode Fuzzy Hash: d6f56902d4e8762935de702d4c1b953921ac7c6d7eb456f7c36ab316a66f2fb3
                                  • Instruction Fuzzy Hash: D3112332900124A7CB14EBAAD8018DEBBA99F44364F11456FFE04B72E1DB789E41CBD8
                                  Function 02171405 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 02171412
                                  • int.LIBCPMT ref: 02171425
                                    • Part of subcall function 0216E363: std::_Lockit::_Lockit.LIBCPMT ref: 0216E374
                                    • Part of subcall function 0216E363: std::_Lockit::~_Lockit.LIBCPMT ref: 0216E38E
                                  • std::_Facet_Register.LIBCPMT ref: 02171465
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0217146E
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0217148C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                  • String ID: 8mG
                                  • API String ID: 2536120697-3990007011
                                  • Opcode ID: d6f56902d4e8762935de702d4c1b953921ac7c6d7eb456f7c36ab316a66f2fb3
                                  • Instruction ID: 70e889f36f80303e78a2bea0669c9e66bac0b8def5e3fd02f0126260b862c957
                                  • Opcode Fuzzy Hash: d6f56902d4e8762935de702d4c1b953921ac7c6d7eb456f7c36ab316a66f2fb3
                                  • Instruction Fuzzy Hash: 81112936940124BFCB15EB68D804DEEBBBA9F80720B11456AED09A7290DB31AE41CFD1
                                  Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                  • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLastValue___vcrt_
                                  • String ID:
                                  • API String ID: 3852720340-0
                                  • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                  • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                  • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                  • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                  Function 0219A641 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,0219A638,021995A5), ref: 0219A64F
                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0219A65D
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0219A676
                                  • SetLastError.KERNEL32(00000000,?,0219A638,021995A5), ref: 0219A6C8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLastValue___vcrt_
                                  • String ID:
                                  • API String ID: 3852720340-0
                                  • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                  • Instruction ID: a19af697cc256717aebf026437564844f48ffc4313734fb8ef6723ed2db9d0bd
                                  • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                  • Instruction Fuzzy Hash: 2301FC3259D3516DEE14377CBCA867A275EFF017B5720023DE228416F0EF514C848984
                                  Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                  Download Yara Rule
                                  APIs
                                  • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\YESOHDKMIm.exe), ref: 0040760B
                                    • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                    • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                  • CoUninitialize.OLE32 ref: 00407664
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InitializeObjectUninitialize_wcslen
                                  • String ID: C:\Users\user\Desktop\YESOHDKMIm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                  • API String ID: 3851391207-2138668641
                                  • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                  • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                  • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                  • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                  Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                  • GetLastError.KERNEL32 ref: 0040BB22
                                  Strings
                                  • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                  • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                  • [Chrome Cookies not found], xrefs: 0040BB3C
                                  • UserProfile, xrefs: 0040BAE8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DeleteErrorFileLast
                                  • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                  • API String ID: 2018770650-304995407
                                  • Opcode ID: d4592947abf79dc324386ffcaf4b9b591dee499912662422a1d7ea612805fe04
                                  • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                  • Opcode Fuzzy Hash: d4592947abf79dc324386ffcaf4b9b591dee499912662422a1d7ea612805fe04
                                  • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                  Function 0217D755 Relevance: 10.5, APIs: 7, Instructions: 48windowstringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0217D76E
                                    • Part of subcall function 0217D807: RegisterClassExA.USER32(00000030), ref: 0217D853
                                    • Part of subcall function 0217D807: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0217D86E
                                    • Part of subcall function 0217D807: GetLastError.KERNEL32 ref: 0217D878
                                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0217D7A5
                                  • lstrcpyn.KERNEL32(00474B70,0046CF44,00000080), ref: 0217D7BF
                                  • Shell_NotifyIcon.SHELL32(00000000,00474B58), ref: 0217D7D5
                                  • TranslateMessage.USER32(?), ref: 0217D7E1
                                  • DispatchMessageA.USER32(?), ref: 0217D7EB
                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0217D7F8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                  • String ID:
                                  • API String ID: 1970332568-0
                                  • Opcode ID: 731e0475cdd51c62647780fa2fa3280f65193767bc99efc51189d173a824088e
                                  • Instruction ID: e093ad99f3aedfcffd709cf22e7c6d2535e17b928f6a486b565cfce4fbc02277
                                  • Opcode Fuzzy Hash: 731e0475cdd51c62647780fa2fa3280f65193767bc99efc51189d173a824088e
                                  • Instruction Fuzzy Hash: 7A011B71840349EBD7109FA1EC4CFAABBBCEBC5705F00406AF515920A1D7B8E895CB69
                                  Function 0040729B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0i$C:\Users\user\Desktop\YESOHDKMIm.exe$Rmc-T59BEJ
                                  • API String ID: 0-2754947561
                                  • Opcode ID: 6266df8f63f07d9ec3e284de14b260bcf750c81262affdfdd67307fbc2c8eb3d
                                  • Instruction ID: 8e81a4762a03630119b5543cf4782e43f3d691fcab72f30749e56a9243805afb
                                  • Opcode Fuzzy Hash: 6266df8f63f07d9ec3e284de14b260bcf750c81262affdfdd67307fbc2c8eb3d
                                  • Instruction Fuzzy Hash: 08F0F6B0A14141ABCB1067355D286AA3756A784397F00487BF547FB2F2EBBD5C82861E
                                  Function 004440E8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00444106
                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                  • _free.LIBCMT ref: 00444118
                                  • _free.LIBCMT ref: 0044412B
                                  • _free.LIBCMT ref: 0044413C
                                  • _free.LIBCMT ref: 0044414D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID: xNi
                                  • API String ID: 776569668-4281817997
                                  • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                  • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                  • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                  • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                  Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                  Download Yara Rule
                                  APIs
                                  • __allrem.LIBCMT ref: 0043ACE9
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                  • __allrem.LIBCMT ref: 0043AD1C
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                  • __allrem.LIBCMT ref: 0043AD51
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                  • String ID:
                                  • API String ID: 1992179935-0
                                  • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                  • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                  • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                  • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                  Function 021A3B40 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 021A3BD0
                                  • _free.LIBCMT ref: 021A3BEA
                                  • _free.LIBCMT ref: 021A3BF5
                                  • _free.LIBCMT ref: 021A3CC9
                                  • _free.LIBCMT ref: 021A3CE5
                                    • Part of subcall function 0219BFCF: IsProcessorFeaturePresent.KERNEL32(00000017,0219BFA1,?,?,?,?,?,00000000,?,?,0219BFC1,00000000,00000000,00000000,00000000,00000000), ref: 0219BFD1
                                    • Part of subcall function 0219BFCF: GetCurrentProcess.KERNEL32(C0000417), ref: 0219BFF3
                                    • Part of subcall function 0219BFCF: TerminateProcess.KERNEL32(00000000), ref: 0219BFFA
                                  • _free.LIBCMT ref: 021A3CEF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$Process$CurrentFeaturePresentProcessorTerminate
                                  • String ID:
                                  • API String ID: 2329545287-0
                                  • Opcode ID: 6cafc8de57892fd614af7c3accbdcbc7a01b4784fb7c252a1c394b1424185e80
                                  • Instruction ID: c8d1ef5406a28671114217ba764806503faa065a312705a179bda9ce5d350bda
                                  • Opcode Fuzzy Hash: 6cafc8de57892fd614af7c3accbdcbc7a01b4784fb7c252a1c394b1424185e80
                                  • Instruction Fuzzy Hash: 2A51B13EA442086FDF24AF78DC707BAB79ADF41764F2440DEE8159B144EB329E42C650
                                  Function 021AAF30 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,021AB181,00000001,00000001,00000006), ref: 021AAF8A
                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,?,?,?,021AB181,00000001,00000001,00000006), ref: 021AB010
                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,00000006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 021AB10A
                                  • __freea.LIBCMT ref: 021AB117
                                    • Part of subcall function 021A641F: RtlAllocateHeap.NTDLL(00000000,021955B0,?), ref: 021A6451
                                  • __freea.LIBCMT ref: 021AB120
                                  • __freea.LIBCMT ref: 021AB145
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                  • String ID:
                                  • API String ID: 1414292761-0
                                  • Opcode ID: 063005e08074a30aa5a7525b1a3cdd37634a4b88fb4996d08a0078e91088f893
                                  • Instruction ID: 56eb21cd91852172a0e40653ef2e51129243fc950a66ba36836b51af490bbb85
                                  • Opcode Fuzzy Hash: 063005e08074a30aa5a7525b1a3cdd37634a4b88fb4996d08a0078e91088f893
                                  • Instruction Fuzzy Hash: B65122B6640246AFDF298F60ECA1EBF77AAEF50658F154628FD14D7180EB30DD40CA60
                                  Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00000000,?), ref: 004044C4
                                    • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: H_prologSleep
                                  • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$XNG
                                  • API String ID: 3469354165-985523790
                                  • Opcode ID: f4ba28f1dc5a3149abac62d651e778a2735a92b35a6eb013b851ba628fd62ee8
                                  • Instruction ID: 7593a199e81997f2aad1dc538160579efde4e563a54277089fa649d8e7e3dbe8
                                  • Opcode Fuzzy Hash: f4ba28f1dc5a3149abac62d651e778a2735a92b35a6eb013b851ba628fd62ee8
                                  • Instruction Fuzzy Hash: 2A51E0B1A042106BCA14FB369D0A66E3655ABC4748F00443FFA09676E2DF7D8E46839E
                                  Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                  • SetLastError.KERNEL32(000000C1,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                  • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                  • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,00000000), ref: 00411E04
                                    • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,00000000), ref: 00411CEE
                                  • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,00000000), ref: 00411E4B
                                  • RtlAllocateHeap.KERNEL32(00000000,?,?,?,?,00000000), ref: 00411E52
                                  • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411F65
                                    • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,00000000), ref: 00412122
                                    • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00412129
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorHeapLast$Process$AllocAllocateFreeInfoNativeSystemVirtual
                                  • String ID:
                                  • API String ID: 2227336758-0
                                  • Opcode ID: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                  • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                  • Opcode Fuzzy Hash: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                  • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                  Function 021645D8 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00000000,?), ref: 0216472B
                                    • Part of subcall function 0216486E: __EH_prolog.LIBCMT ref: 02164873
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: H_prologSleep
                                  • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$XNG
                                  • API String ID: 3469354165-985523790
                                  • Opcode ID: f4ba28f1dc5a3149abac62d651e778a2735a92b35a6eb013b851ba628fd62ee8
                                  • Instruction ID: 0aa609e4ab8194c36bd211343e85a353c0e5028e1ef9c65e0efe1015f9e5127a
                                  • Opcode Fuzzy Hash: f4ba28f1dc5a3149abac62d651e778a2735a92b35a6eb013b851ba628fd62ee8
                                  • Instruction Fuzzy Hash: 5051F231A84250AFCA28FB74DD5CA7E3BAB9B81750F00052DEC0957690EF748A65CB96
                                  Function 02171FA0 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 02171A3E: SetLastError.KERNEL32(0000000D,02171FBE,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,02171F9C), ref: 02171A44
                                  • SetLastError.KERNEL32(000000C1,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,02171F9C), ref: 02171FD9
                                  • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,02171F9C), ref: 02172047
                                  • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,00000000), ref: 0217206B
                                    • Part of subcall function 02171F45: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,02172089,?,00000000,00003000,00000040,00000000,?,00000000), ref: 02171F55
                                  • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,00000000), ref: 021720B2
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 021720B9
                                  • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 021721CC
                                    • Part of subcall function 02172319: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,021721D9,?,?,?,?,00000000), ref: 02172389
                                    • Part of subcall function 02172319: HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 02172390
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorHeapLast$Process$AllocAllocateFreeInfoNativeSystemVirtual
                                  • String ID:
                                  • API String ID: 2227336758-0
                                  • Opcode ID: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                  • Instruction ID: 747abe36ca679bacaa305b08f2db7e5befa28395e89590f1b2181f194fe32dbb
                                  • Opcode Fuzzy Hash: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                  • Instruction Fuzzy Hash: 2461D670684201BFC724AF25CD84B6A7BF5FFC4710F044169EE099B685EBB4D896CBA1
                                  Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __cftoe
                                  • String ID:
                                  • API String ID: 4189289331-0
                                  • Opcode ID: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                  • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                  • Opcode Fuzzy Hash: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                  • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                  Function 021A5BE1 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __cftoe
                                  • String ID:
                                  • API String ID: 4189289331-0
                                  • Opcode ID: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                  • Instruction ID: 6bcb89dd1f7e2f56012f07b7f1613815249ebd459a7fbeea98ec696232dccc3b
                                  • Opcode Fuzzy Hash: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                  • Instruction Fuzzy Hash: 86514E7AD88205BFDF249B68CCA4FAE77BFEF44734F944119E815D6188DB31D5008A64
                                  Function 02167C05 Relevance: 9.1, APIs: 6, Instructions: 102fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000), ref: 02167C67
                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0), ref: 02167CAF
                                    • Part of subcall function 02164D08: send.WS2_32(?,00000000,00000000,00000000), ref: 02164D9D
                                  • CloseHandle.KERNEL32(00000000), ref: 02167CEF
                                  • MoveFileW.KERNEL32(00000000,00000000), ref: 02167D0C
                                  • CloseHandle.KERNEL32(00000000,00000057,?,00000008), ref: 02167D37
                                  • DeleteFileW.KERNEL32(00000000), ref: 02167D47
                                    • Part of subcall function 02164DFD: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00474F08,02164EB0,00000000,00000000,00000000,00000000,00474F08,02164D30), ref: 02164E0C
                                    • Part of subcall function 02164DFD: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,021656F2), ref: 02164E2A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                  • String ID:
                                  • API String ID: 1303771098-0
                                  • Opcode ID: e7cafca0780e8310386d8ce0e2b4e9b02ff549ab184a3408e64b8b6c6c25ff2e
                                  • Instruction ID: 0d5e329c9e8251cedb50105ad1cbf95f8fefb07e9974c9767054938893ffbfc8
                                  • Opcode Fuzzy Hash: e7cafca0780e8310386d8ce0e2b4e9b02ff549ab184a3408e64b8b6c6c25ff2e
                                  • Instruction Fuzzy Hash: 8A31D371448345AFC310EB20DC589BFB3A9FF84315F404D2EB98692190DB709E48CF96
                                  Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                  • String ID:
                                  • API String ID: 493672254-0
                                  • Opcode ID: 6768d04de6bba430942b0409d96819e7e0e6ab90830dc8ea3fc78fe1771b3c5b
                                  • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                  • Opcode Fuzzy Hash: 6768d04de6bba430942b0409d96819e7e0e6ab90830dc8ea3fc78fe1771b3c5b
                                  • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                  Function 0217AE05 Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011), ref: 0217AE14
                                  • OpenServiceW.ADVAPI32(00000000,00000000,000F003F), ref: 0217AE2B
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0217AE38
                                  • ControlService.ADVAPI32(00000000,00000001,?), ref: 0217AE47
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$Open$CloseControlHandleManager
                                  • String ID:
                                  • API String ID: 1243734080-0
                                  • Opcode ID: eb6abd722e0cae9a5b5ac2f6fd433bf2c3c2a2b9123b5e78852541010ca8cce1
                                  • Instruction ID: f119bf146e3ff28a96921e3795aefc087170e4dda9fe390b2912519a1528b68a
                                  • Opcode Fuzzy Hash: eb6abd722e0cae9a5b5ac2f6fd433bf2c3c2a2b9123b5e78852541010ca8cce1
                                  • Instruction Fuzzy Hash: FB11A531980318AF9B216F64DC88DFF3B7CDF85A62B000425F94592191DF648D45AAB5
                                  Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474F08,?,0043CE65,FF8BC35D,00474F08,00474F08), ref: 00448299
                                  • _free.LIBCMT ref: 004482CC
                                  • _free.LIBCMT ref: 004482F4
                                  • SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 00448301
                                  • SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 0044830D
                                  • _abort.LIBCMT ref: 00448313
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$_free$_abort
                                  • String ID:
                                  • API String ID: 3160817290-0
                                  • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                  • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                  • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                  • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                  Function 021A84FC Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,0219F9D7,0219AADC,0219F9D7,00474F08,?,0219D0CC,FF8BC35D,00474F08,00474F08), ref: 021A8500
                                  • _free.LIBCMT ref: 021A8533
                                  • _free.LIBCMT ref: 021A855B
                                  • SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 021A8568
                                  • SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 021A8574
                                  • _abort.LIBCMT ref: 021A857A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$_free$_abort
                                  • String ID:
                                  • API String ID: 3160817290-0
                                  • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                  • Instruction ID: d48254707e456841da9bb91f6662ee0bf8fae5eef3383c1aa827cf9a372f02da
                                  • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                  • Instruction Fuzzy Hash: C0F0F43E5C47006ECA113339BC38B6A251B9FC1775F2B4429FC19921D0EF64CA428558
                                  Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ControlManager
                                  • String ID:
                                  • API String ID: 221034970-0
                                  • Opcode ID: ae1d2dc5fcc920fa0c4de2805c4bb02fd0d2400c89c15f2023f51b2330037a2a
                                  • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                  • Opcode Fuzzy Hash: ae1d2dc5fcc920fa0c4de2805c4bb02fd0d2400c89c15f2023f51b2330037a2a
                                  • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                  Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                  • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ControlManager
                                  • String ID:
                                  • API String ID: 221034970-0
                                  • Opcode ID: 09157ef8eb8da34f78b0ee302db87b690a61261d17d0987fe2a8bb4e8e1c1ff6
                                  • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                  • Opcode Fuzzy Hash: 09157ef8eb8da34f78b0ee302db87b690a61261d17d0987fe2a8bb4e8e1c1ff6
                                  • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                  Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                  • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ControlManager
                                  • String ID:
                                  • API String ID: 221034970-0
                                  • Opcode ID: b26bf3762530a856ab6d8755ba7de06de94296f9b4710ed3a1167deef3457c09
                                  • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                  • Opcode Fuzzy Hash: b26bf3762530a856ab6d8755ba7de06de94296f9b4710ed3a1167deef3457c09
                                  • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                  Function 0217A2AC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0217A2B1
                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0217A36F
                                  • GetLocalTime.KERNEL32(?), ref: 0217A3FD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateDirectoryH_prologLocalTime
                                  • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                  • API String ID: 2709065311-3790400642
                                  • Opcode ID: dd8985f9f0424e5af7ab4b9def62d93c7b0618ad4023e7f36387c501f976b2f9
                                  • Instruction ID: f89ec7d615dc12b1dd070ecfebceb17bb1d08ada77504794380759bb2256d022
                                  • Opcode Fuzzy Hash: dd8985f9f0424e5af7ab4b9def62d93c7b0618ad4023e7f36387c501f976b2f9
                                  • Instruction Fuzzy Hash: 6D519271A842549ECB14FBB4CC58AFE777AAF85300F40402AE945AB1D0EF748E55CBA5
                                  Function 02173FAF Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 135registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 02173FE8
                                    • Part of subcall function 02173CF7: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 02173D5E
                                    • Part of subcall function 02173CF7: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 02173D8D
                                    • Part of subcall function 02164D08: send.WS2_32(?,00000000,00000000,00000000), ref: 02164D9D
                                  • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 02174156
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEnumInfoOpenQuerysend
                                  • String ID: (aF$,aF$xdF
                                  • API String ID: 3114080316-1322504040
                                  • Opcode ID: cc062f830d16cacea19ca4de1ed0cf31f861faddd90282fe9b2691ee2ce94904
                                  • Instruction ID: 4ac295db62bd35700af8dae15b11be839e1ae3665ae3beeaa536b30a97e3fdb7
                                  • Opcode Fuzzy Hash: cc062f830d16cacea19ca4de1ed0cf31f861faddd90282fe9b2691ee2ce94904
                                  • Instruction Fuzzy Hash: C541E4316C42406FC324FB24EC58AFF77A79FE1740F40882EA84A57194EF345D59CAA6
                                  Function 004434D5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\YESOHDKMIm.exe,00000104), ref: 00443515
                                  • _free.LIBCMT ref: 004435E0
                                  • _free.LIBCMT ref: 004435EA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$FileModuleName
                                  • String ID: C:\Users\user\Desktop\YESOHDKMIm.exe$H%g
                                  • API String ID: 2506810119-27147328
                                  • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                  • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                  • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                  • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                  Function 021A373C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\YESOHDKMIm.exe,00000104), ref: 021A377C
                                  • _free.LIBCMT ref: 021A3847
                                  • _free.LIBCMT ref: 021A3851
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$FileModuleName
                                  • String ID: C:\Users\user\Desktop\YESOHDKMIm.exe$H%g
                                  • API String ID: 2506810119-27147328
                                  • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                  • Instruction ID: 882aa5d55d958c477d4be673d2abdfcb479345deea6960cbad1d6c35c81d9ba8
                                  • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                  • Instruction Fuzzy Hash: 8E31C3B9E40248EFDB21DF99DD94A9EBBFDEF85710F1041B6E41897210D7B08A80CB90
                                  Function 0040B19F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(?,Offline Keylogger Started,00475100), ref: 0040B1AD
                                  • wsprintfW.USER32 ref: 0040B22E
                                    • Part of subcall function 0040A671: SetEvent.KERNEL32(00000000,?,00000000,0040B245,00000000), ref: 0040A69D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EventLocalTimewsprintf
                                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                  • API String ID: 1497725170-248792730
                                  • Opcode ID: f215b44ac66cc179d853800de92e2982fb6d871ece48d8f6ca041cc6bf8154f8
                                  • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                  • Opcode Fuzzy Hash: f215b44ac66cc179d853800de92e2982fb6d871ece48d8f6ca041cc6bf8154f8
                                  • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                  Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                  • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                  • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleSizeSleep
                                  • String ID: hQG
                                  • API String ID: 1958988193-4070439852
                                  • Opcode ID: dff8f098f1c377594146863248cdb80fbfdf91f527f5f89ea2521ad03e4bff88
                                  • Instruction ID: fcd55a72cf9b38ed92eee25b8fc798016c5179a181dae4a4499eb8880f316315
                                  • Opcode Fuzzy Hash: dff8f098f1c377594146863248cdb80fbfdf91f527f5f89ea2521ad03e4bff88
                                  • Instruction Fuzzy Hash: 3E113130600740AADA30A7249889A1F37BAD741356F44483EE182676D3C67DDC64C71F
                                  Function 0216A917 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0216A9EF), ref: 0216A94D
                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0216A9EF), ref: 0216A95C
                                  • Sleep.KERNEL32(00002710,?,?,?,0216A9EF), ref: 0216A989
                                  • CloseHandle.KERNEL32(00000000,?,?,?,0216A9EF), ref: 0216A990
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleSizeSleep
                                  • String ID: hQG
                                  • API String ID: 1958988193-4070439852
                                  • Opcode ID: dff8f098f1c377594146863248cdb80fbfdf91f527f5f89ea2521ad03e4bff88
                                  • Instruction ID: fd073c8e66ed5e24432fe9f1a12499b3ee4e21b307dc8543135859f9fce2ab7e
                                  • Opcode Fuzzy Hash: dff8f098f1c377594146863248cdb80fbfdf91f527f5f89ea2521ad03e4bff88
                                  • Instruction Fuzzy Hash: 69113A307C0B40FAD731AF24989CB3E7B9BEF45206F5A0828E18267592C7649860CB19
                                  Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                  • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                  • GetLastError.KERNEL32 ref: 0041D611
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ClassCreateErrorLastRegisterWindow
                                  • String ID: 0$MsgWindowClass
                                  • API String ID: 2877667751-2410386613
                                  • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                  • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                  • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                  • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                  Function 0217D807 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegisterClassExA.USER32(00000030), ref: 0217D853
                                  • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0217D86E
                                  • GetLastError.KERNEL32 ref: 0217D878
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ClassCreateErrorLastRegisterWindow
                                  • String ID: 0$MsgWindowClass
                                  • API String ID: 2877667751-2410386613
                                  • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                  • Instruction ID: e9508f3ff0214a66c5f99eef014394d3932bba3de512b25908a9ce044fb670ec
                                  • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                  • Instruction Fuzzy Hash: CE0122B1D0021DABDB00EFE5EC84DEFBBBDEA45255F00053AF914A6240EB748A058AA0
                                  Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                  • CloseHandle.KERNEL32(?), ref: 004077E5
                                  • CloseHandle.KERNEL32(?), ref: 004077EA
                                  Strings
                                  • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                  • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandle$CreateProcess
                                  • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                  • API String ID: 2922976086-4183131282
                                  • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                  • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                  • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                  • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                  Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,00000000,?,0044332B,00000000,0046E958,0000000C,00443482,00000000,00000002), ref: 004433FA
                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                  • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,00000000,?,0044332B,00000000,0046E958,0000000C,00443482,00000000,00000002), ref: 00443430
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1276376045
                                  • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                  • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                  • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                  • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                  Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474F08,00404E7A,00000001,?,00000000,00474F08,00404CA8,00000000,00000000,00000000,00000000), ref: 00405120
                                  • SetEvent.KERNEL32(?,?,00000000,00474F08,00404CA8,00000000,00000000,00000000,00000000), ref: 0040512C
                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00474F08,00404CA8,00000000,00000000,00000000,00000000), ref: 00405137
                                  • CloseHandle.KERNEL32(?,?,00000000,00474F08,00404CA8,00000000,00000000,00000000,00000000), ref: 00405140
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                  • String ID: KeepAlive | Disabled
                                  • API String ID: 2993684571-305739064
                                  • Opcode ID: dc341d0222263d5179386cd92f42de0f657b1c37d78b3311a0972f72a23f1cdf
                                  • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                  • Opcode Fuzzy Hash: dc341d0222263d5179386cd92f42de0f657b1c37d78b3311a0972f72a23f1cdf
                                  • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                  Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                  • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                  • Sleep.KERNEL32(00002710), ref: 0041AE98
                                  • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: PlaySound$HandleLocalModuleSleepTime
                                  • String ID: Alarm triggered
                                  • API String ID: 614609389-2816303416
                                  • Opcode ID: 7961ab4b9a775b72186ee6cedce60260f28aea5b2c5543dcab08774e2953f8a0
                                  • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                  • Opcode Fuzzy Hash: 7961ab4b9a775b72186ee6cedce60260f28aea5b2c5543dcab08774e2953f8a0
                                  • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                  Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                  • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                  • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                  • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                  Strings
                                  • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Console$AttributeText$BufferHandleInfoScreen
                                  • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                  • API String ID: 3024135584-2418719853
                                  • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                  • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                  • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                  • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                  Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                  • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                  • Opcode Fuzzy Hash: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                  • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                  Function 021A1651 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                  • Instruction ID: 9334f854cb0891edc1bd2311e47626a4a2f0dc491c302b74fed2b9f682516962
                                  • Opcode Fuzzy Hash: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                  • Instruction Fuzzy Hash: 3B71C739D80216EBCF218F55C8A4ABFBB7AFF45354F154239E82967140D7708941CBA0
                                  Function 021A4FE3 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$AllocateHeap
                                  • String ID:
                                  • API String ID: 3033488037-0
                                  • Opcode ID: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                  • Instruction ID: d4fd9021a0974b15e66ad938fd40cd680445f7b588a249f992dfa4593e115071
                                  • Opcode Fuzzy Hash: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                  • Instruction Fuzzy Hash: 0B51DF39E84304AFDB20DF69DC61B7A77F6EF48724B544569E80ADB250E731AA41CB80
                                  Function 004493E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                  • _free.LIBCMT ref: 0044943D
                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                  • _free.LIBCMT ref: 00449609
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                  • String ID:
                                  • API String ID: 1286116820-0
                                  • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                  • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                  • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                  • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                  Function 021A964C Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 021A96B6
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 021A972E
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 021A975B
                                  • _free.LIBCMT ref: 021A96A4
                                    • Part of subcall function 021A6A69: HeapFree.KERNEL32(00000000,00000000,?,021B0F56,?,00000000,?,00000000,?,021B11FA,?,00000007,?,?,021B1745,?), ref: 021A6A7F
                                    • Part of subcall function 021A6A69: GetLastError.KERNEL32(?,?,021B0F56,?,00000000,?,00000000,?,021B11FA,?,00000007,?,?,021B1745,?,?), ref: 021A6A91
                                  • _free.LIBCMT ref: 021A9870
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                  • String ID:
                                  • API String ID: 1286116820-0
                                  • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                  • Instruction ID: 85a7614248a6e2ca0f05c7ddcf09f175a5e96f0f18bf11864f53cd32d1663d86
                                  • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                  • Instruction Fuzzy Hash: CE511A79940209EFCB14EFA9DE909AEB7BDEF40360B10467AD41597190E77089C1CF64
                                  Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                    • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                  • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                  • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                    • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475348), ref: 0041C08B
                                    • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,00475348), ref: 0041C096
                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 2180151492-0
                                  • Opcode ID: db79130361b4b0464cab85a352f134925f668321788b49065da1d952b70fcd3f
                                  • Instruction ID: 39de0d33b69ea9088fa68d935cf3ef43cf04ff0480c7130c1a021fac56d243da
                                  • Opcode Fuzzy Hash: db79130361b4b0464cab85a352f134925f668321788b49065da1d952b70fcd3f
                                  • Instruction Fuzzy Hash: 8D4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                  Function 0216FB9F Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0217C2AF: GetCurrentProcess.KERNEL32(00000003,?,?,0217B5C9,00000000,004750F4,00000003,004673AC,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0217C2C0
                                    • Part of subcall function 0217C2AF: IsWow64Process.KERNEL32(00000000,?,?,0217B5C9,00000000,004750F4,00000003,004673AC,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0217C2C7
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0216FBBD
                                  • Process32FirstW.KERNEL32(00000000,?), ref: 0216FBE1
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0216FBF0
                                  • CloseHandle.KERNEL32(00000000), ref: 0216FDA7
                                    • Part of subcall function 0217C2DD: OpenProcess.KERNEL32(00000400,00000000), ref: 0217C2F2
                                    • Part of subcall function 0217C2DD: IsWow64Process.KERNEL32(00000000,?), ref: 0217C2FD
                                    • Part of subcall function 0217C4D5: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0217C4ED
                                    • Part of subcall function 0217C4D5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0217C500
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0216FD98
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 2180151492-0
                                  • Opcode ID: 4657730891610698eba749af41c4f7c2a1e88e482b252a6fa265d29701b33564
                                  • Instruction ID: c9354ca158698e6d18a8dd7425d6f2e0ab5ae548ce35a49afe99e1cf2fa12968
                                  • Opcode Fuzzy Hash: 4657730891610698eba749af41c4f7c2a1e88e482b252a6fa265d29701b33564
                                  • Instruction Fuzzy Hash: B54116311882849FC335FB20ED54AFFB3AAAFD4340F50452DE94A82194EF345A19CF56
                                  Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                  • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                  • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                  • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                  Function 021A4100 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                  • Instruction ID: d62ea52bdc854cbd6cf8e90db5730cf5f21e08195f77e94f253c77d54928fb46
                                  • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                  • Instruction Fuzzy Hash: DE41F43AA402049FDB14DFB8C890A5EB7F6EF89714F1685A9D915EB350E771ED02CB80
                                  Function 004511AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043F918,?,00000000,?,00000001,?,?,00000001,0043F918,?), ref: 004511F9
                                  • __alloca_probe_16.LIBCMT ref: 00451231
                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451282
                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0043AF04,?), ref: 00451294
                                  • __freea.LIBCMT ref: 0045129D
                                    • Part of subcall function 004461B8: RtlAllocateHeap.KERNEL32(00000000,00435349,?,?,004388C7,?,?,00000000,00476B60,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                  • String ID:
                                  • API String ID: 313313983-0
                                  • Opcode ID: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                                  • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                  • Opcode Fuzzy Hash: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                                  • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                  Function 0217297D Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 93sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0217399A: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 021739B6
                                    • Part of subcall function 0217399A: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 021739CF
                                    • Part of subcall function 0217399A: RegCloseKey.ADVAPI32(?), ref: 021739DA
                                  • Sleep.KERNEL32(00000BB8), ref: 02172A1C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQuerySleepValue
                                  • String ID: 0i$HSG$exepath$xdF
                                  • API String ID: 4119054056-2998330220
                                  • Opcode ID: 1bfdafb44b4a2c026af98ac4f65e7b5a21bf8f167877c60a632f6c0c1c4bcbaa
                                  • Instruction ID: e6d84707997bad2503bb81843d79499ca8e079781335a74910d137448e9b731a
                                  • Opcode Fuzzy Hash: 1bfdafb44b4a2c026af98ac4f65e7b5a21bf8f167877c60a632f6c0c1c4bcbaa
                                  • Instruction Fuzzy Hash: 99212891BC43142FEA24B6741C0CA7F725F8BC1300F50497AAD459B3D2EFB98D2686A9
                                  Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                    • Part of subcall function 004461B8: RtlAllocateHeap.KERNEL32(00000000,00435349,?,?,004388C7,?,?,00000000,00476B60,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                  • _free.LIBCMT ref: 0044F43F
                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                  • String ID:
                                  • API String ID: 336800556-0
                                  • Opcode ID: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                  • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                  • Opcode Fuzzy Hash: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                  • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                  Function 021AF641 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentStringsW.KERNEL32 ref: 021AF64A
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 021AF66D
                                    • Part of subcall function 021A641F: RtlAllocateHeap.NTDLL(00000000,021955B0,?), ref: 021A6451
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 021AF693
                                  • _free.LIBCMT ref: 021AF6A6
                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 021AF6B5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                  • String ID:
                                  • API String ID: 336800556-0
                                  • Opcode ID: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                  • Instruction ID: 10a19c9c9b0b3996ddd8126585d597f2287bd1a57e8dc0920c89c07f72aadbd3
                                  • Opcode Fuzzy Hash: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                  • Instruction Fuzzy Hash: DB01D47A641715BF272126BB5C9CC7B6A7EDAC6EA53150129FD08C3510EF628C0285F4
                                  Function 0041C482 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4DE
                                  • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4EA
                                  • WriteFile.KERNEL32(00000000,00000000,00000000,00406FC0,00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4FB
                                  • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C508
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseHandle$CreatePointerWrite
                                  • String ID:
                                  • API String ID: 1852769593-0
                                  • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                  • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                  • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                  • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                  Function 0217C6E9 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0217C808,00000000,00000000,?), ref: 0217C728
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000000,0217C808,00000000,00000000,?,?,0216AB89), ref: 0217C745
                                  • CloseHandle.KERNEL32(00000000,?,00000000,0217C808,00000000,00000000,?,?,0216AB89), ref: 0217C751
                                  • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,0217C808,00000000,00000000,?,?,0216AB89), ref: 0217C762
                                  • CloseHandle.KERNEL32(00000000,?,00000000,0217C808,00000000,00000000,?,?,0216AB89), ref: 0217C76F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseHandle$CreatePointerWrite
                                  • String ID:
                                  • API String ID: 1852769593-0
                                  • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                  • Instruction ID: 13d2f1a121a3c01047af776ad15b4c7542e09860a89e665404210204e0a13690
                                  • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                  • Instruction Fuzzy Hash: 94110071284215FFEB144E24AC89F7B73BCEBCA266F00062AF662C21C1DB318C0186B4
                                  Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,00000000,?,0043BCD6,00000000,?,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044831E
                                  • _free.LIBCMT ref: 00448353
                                  • _free.LIBCMT ref: 0044837A
                                  • SetLastError.KERNEL32(00000000), ref: 00448387
                                  • SetLastError.KERNEL32(00000000), ref: 00448390
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$_free
                                  • String ID:
                                  • API String ID: 3170660625-0
                                  • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                  • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                  • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                  • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                  Function 021A8580 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,00000000,?,0219BF3D,00000000,?,?,0219BFC1,00000000,00000000,00000000,00000000,00000000,?,?), ref: 021A8585
                                  • _free.LIBCMT ref: 021A85BA
                                  • _free.LIBCMT ref: 021A85E1
                                  • SetLastError.KERNEL32(00000000), ref: 021A85EE
                                  • SetLastError.KERNEL32(00000000), ref: 021A85F7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$_free
                                  • String ID:
                                  • API String ID: 3170660625-0
                                  • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                  • Instruction ID: 4906e5105836a23bd95d90e2eb882854740e55c011fc3888259ae6071723798d
                                  • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                  • Instruction Fuzzy Hash: D901F47E2C47017F961266686CA8E2B225F9FC1771B274039FD1AA2190EF64CE458968
                                  Function 0041C26E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                  • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C2B9
                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CloseHandleOpen$FileImageName
                                  • String ID:
                                  • API String ID: 2951400881-0
                                  • Opcode ID: 86c9f0b933065f30fb7de588293abdcc028dc5bd0d1024c3ead9711c80f94643
                                  • Instruction ID: eb9e11a2b0883253d54455b1eb0df9c10e535dd1e95c930e162dea6fb874dde8
                                  • Opcode Fuzzy Hash: 86c9f0b933065f30fb7de588293abdcc028dc5bd0d1024c3ead9711c80f94643
                                  • Instruction Fuzzy Hash: 2F01F231680215ABD71066949C8AFA7B66C8B84756F0001ABFA08D2292EE74CD81466A
                                  Function 0217C4D5 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0217C4ED
                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0217C500
                                  • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0217C520
                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0217C52B
                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0217C533
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CloseHandleOpen$FileImageName
                                  • String ID:
                                  • API String ID: 2951400881-0
                                  • Opcode ID: 86c9f0b933065f30fb7de588293abdcc028dc5bd0d1024c3ead9711c80f94643
                                  • Instruction ID: e7e513e0ddb9396d57e8e4082276103b1dc09af1e4fe0f7f7aeaf1949da0bde1
                                  • Opcode Fuzzy Hash: 86c9f0b933065f30fb7de588293abdcc028dc5bd0d1024c3ead9711c80f94643
                                  • Instruction Fuzzy Hash: 5B01F971380315AFD72057A4AC4DF7BB67CCBC4792F010167F958D21D1EF609E4146A5
                                  Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00450A54
                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                  • _free.LIBCMT ref: 00450A66
                                  • _free.LIBCMT ref: 00450A78
                                  • _free.LIBCMT ref: 00450A8A
                                  • _free.LIBCMT ref: 00450A9C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                  • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                  • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                  • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                  Function 021B0CA3 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 021B0CBB
                                    • Part of subcall function 021A6A69: HeapFree.KERNEL32(00000000,00000000,?,021B0F56,?,00000000,?,00000000,?,021B11FA,?,00000007,?,?,021B1745,?), ref: 021A6A7F
                                    • Part of subcall function 021A6A69: GetLastError.KERNEL32(?,?,021B0F56,?,00000000,?,00000000,?,021B11FA,?,00000007,?,?,021B1745,?,?), ref: 021A6A91
                                  • _free.LIBCMT ref: 021B0CCD
                                  • _free.LIBCMT ref: 021B0CDF
                                  • _free.LIBCMT ref: 021B0CF1
                                  • _free.LIBCMT ref: 021B0D03
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                  • Instruction ID: 42e18addb53da636c916282e6ed76f671d3ed50b7c5b1e31a2a3c942b2e83902
                                  • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                  • Instruction Fuzzy Hash: 09F0623A594244AF8A21EB98F9A5C5B73EEEE48B107A8C80DF10DDB550CB34FCC08A54
                                  Function 00417627 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowThreadProcessId.USER32(?,?), ref: 0041763E
                                  • GetWindowTextW.USER32(?,?,0000012C), ref: 00417670
                                  • IsWindowVisible.USER32(?), ref: 00417677
                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessWindow$Open$TextThreadVisible
                                  • String ID: (VG
                                  • API String ID: 3142014140-3443974315
                                  • Opcode ID: 7e572b315b2ecefe35e30865a6849592f1677189f3bed39c221b32fb02a916d3
                                  • Instruction ID: 57afc706987f0d359dfa573bc041c79e98ae29994c94316b8148008c339bd05b
                                  • Opcode Fuzzy Hash: 7e572b315b2ecefe35e30865a6849592f1677189f3bed39c221b32fb02a916d3
                                  • Instruction Fuzzy Hash: 6E7109311082419AC365FB22D8959EFB3E5BFD4308F50493FF18A560E5EF746A49CB8A
                                  Function 0217788E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowThreadProcessId.USER32(?,?), ref: 021778A5
                                  • GetWindowTextW.USER32(?,?,0000012C), ref: 021778D7
                                  • IsWindowVisible.USER32(?), ref: 021778DE
                                    • Part of subcall function 0217C4D5: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0217C4ED
                                    • Part of subcall function 0217C4D5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0217C500
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessWindow$Open$TextThreadVisible
                                  • String ID: (VG
                                  • API String ID: 3142014140-3443974315
                                  • Opcode ID: 7e572b315b2ecefe35e30865a6849592f1677189f3bed39c221b32fb02a916d3
                                  • Instruction ID: 3ba4b18b8e26fc6c5d0d5d3756b528e2622c32e5ab3fc2f306fc13e113580161
                                  • Opcode Fuzzy Hash: 7e572b315b2ecefe35e30865a6849592f1677189f3bed39c221b32fb02a916d3
                                  • Instruction Fuzzy Hash: 6B71E6311982859FC335FB20D994AFFB3E6AFE4340F50492D959A420A4FF306A59CF96
                                  Function 00413A90 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                  • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Enum$InfoQueryValue
                                  • String ID: [regsplt]
                                  • API String ID: 3554306468-4262303796
                                  • Opcode ID: 6209f9adf3ebd54435f0d7a716eb47a0d81ae306c6dd88b89f6c65b2c0b42e3c
                                  • Instruction ID: fa843d34e07254c46a29a5d4d7bbb73928c81f50e0ccc4a220fcc0531dc04ae2
                                  • Opcode Fuzzy Hash: 6209f9adf3ebd54435f0d7a716eb47a0d81ae306c6dd88b89f6c65b2c0b42e3c
                                  • Instruction Fuzzy Hash: DF512C72900219AADB11EB95DC86EEEB77DAF04304F1000BAE505F6191EF746B48CBA9
                                  Function 0044E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                  Download Yara Rule
                                  APIs
                                  • _strpbrk.LIBCMT ref: 0044E7B8
                                  • _free.LIBCMT ref: 0044E8D5
                                    • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017,0043BD3A,?,?,?,?,?,00000000,?,?,0043BD5A,00000000,00000000,00000000,00000000,00000000), ref: 0043BD6A
                                    • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417), ref: 0043BD8C
                                    • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000), ref: 0043BD93
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                  • String ID: *?$.
                                  • API String ID: 2812119850-3972193922
                                  • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                  • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                  • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                  • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                  Function 021AE9D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                  Download Yara Rule
                                  APIs
                                  • _strpbrk.LIBCMT ref: 021AEA1F
                                  • _free.LIBCMT ref: 021AEB3C
                                    • Part of subcall function 0219BFCF: IsProcessorFeaturePresent.KERNEL32(00000017,0219BFA1,?,?,?,?,?,00000000,?,?,0219BFC1,00000000,00000000,00000000,00000000,00000000), ref: 0219BFD1
                                    • Part of subcall function 0219BFCF: GetCurrentProcess.KERNEL32(C0000417), ref: 0219BFF3
                                    • Part of subcall function 0219BFCF: TerminateProcess.KERNEL32(00000000), ref: 0219BFFA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                  • String ID: *?$.
                                  • API String ID: 2812119850-3972193922
                                  • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                  • Instruction ID: c608ef31e16ee9392a9747d40dd136f1b9e811e642af177d03edcea90a29c51b
                                  • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                  • Instruction Fuzzy Hash: A7517079E4021AAFDF24DFA8C890AADBBF5FF48314F248179E855E7340E7759A018B50
                                  Function 02177737 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104sleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ShellExecuteW.SHELL32(00000000,00466118,0046C7C0,00000000,00000000,00000000), ref: 02177797
                                    • Part of subcall function 0217C77D: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02164396,00465E84), ref: 0217C796
                                  • Sleep.KERNEL32(00000064), ref: 021777C3
                                  • DeleteFileW.KERNEL32(00000000), ref: 021777F7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CreateDeleteExecuteShellSleep
                                  • String ID: /t
                                  • API String ID: 1462127192-3161277685
                                  • Opcode ID: 4a8a75732291f67a79b4bb287df9c8386a8e685f11fa6e359629df2218dcdd14
                                  • Instruction ID: 0cb97fe02ec5a4da7e10e4dedac17a682bb0d8a857c7537f2c4e92aff974831c
                                  • Opcode Fuzzy Hash: 4a8a75732291f67a79b4bb287df9c8386a8e685f11fa6e359629df2218dcdd14
                                  • Instruction Fuzzy Hash: B4316631980219AFDF14FBA0DC99EFE773AAF54701F400169E905631D0EF315A9ACE94
                                  Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                  • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                  • String ID: /sort "Visit Time" /stext "$@NG
                                  • API String ID: 368326130-3944316004
                                  • Opcode ID: 115d3ed6b1741adb512821b11b245dc659c1e2162bd541144790ef051353569d
                                  • Instruction ID: 88307c0d9f74f86904655d2c31cb74d6ebeba16a9e6c7dae8368527950f1c452
                                  • Opcode Fuzzy Hash: 115d3ed6b1741adb512821b11b245dc659c1e2162bd541144790ef051353569d
                                  • Instruction Fuzzy Hash: EB316171A001195ACB15FBA6DC969ED7375AF90308F00007FF60AB71E2EF785E49CA99
                                  Function 0044EFD8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474F08,?,0043CE65,FF8BC35D,00474F08,00474F08), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                    • Part of subcall function 0044F0F7: _abort.LIBCMT ref: 0044F129
                                    • Part of subcall function 0044F0F7: _free.LIBCMT ref: 0044F15D
                                    • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                                  • _free.LIBCMT ref: 0044F050
                                  • _free.LIBCMT ref: 0044F086
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorLast_abort
                                  • String ID: xNi$xNi
                                  • API String ID: 2991157371-3434972644
                                  • Opcode ID: e5cd2967445071e6bfe31aa1a48247ff35ff00e78bbd9f02ad68eb6c8bd53105
                                  • Instruction ID: a9f826519387c1ac895116d2974c89b4af6d1f604a138ae73dd4863203302c4b
                                  • Opcode Fuzzy Hash: e5cd2967445071e6bfe31aa1a48247ff35ff00e78bbd9f02ad68eb6c8bd53105
                                  • Instruction Fuzzy Hash: 2D31D371900104AFEB10EB69D441B9A77F4EF81325F2540AFE5049B2A3DB7A5D44CB58
                                  Function 021AF23F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 021A84FC: GetLastError.KERNEL32(?,0219F9D7,0219AADC,0219F9D7,00474F08,?,0219D0CC,FF8BC35D,00474F08,00474F08), ref: 021A8500
                                    • Part of subcall function 021A84FC: _free.LIBCMT ref: 021A8533
                                    • Part of subcall function 021A84FC: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 021A8574
                                    • Part of subcall function 021A84FC: _abort.LIBCMT ref: 021A857A
                                    • Part of subcall function 021AF35E: _abort.LIBCMT ref: 021AF390
                                    • Part of subcall function 021AF35E: _free.LIBCMT ref: 021AF3C4
                                    • Part of subcall function 021AEFD3: GetOEMCP.KERNEL32(00000000,?,?,021AF25C,?), ref: 021AEFFE
                                  • _free.LIBCMT ref: 021AF2B7
                                  • _free.LIBCMT ref: 021AF2ED
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorLast_abort
                                  • String ID: xNi$xNi
                                  • API String ID: 2991157371-3434972644
                                  • Opcode ID: e5cd2967445071e6bfe31aa1a48247ff35ff00e78bbd9f02ad68eb6c8bd53105
                                  • Instruction ID: 1c2e30385001791f1c91ef42efede5b65afd293f7d8781b0c175983cfe2e9c0d
                                  • Opcode Fuzzy Hash: e5cd2967445071e6bfe31aa1a48247ff35ff00e78bbd9f02ad68eb6c8bd53105
                                  • Instruction Fuzzy Hash: 3D31B839944248AFDB14EBA8D460B997BF6EF41324F2540AAD9049B6A0DB379D42CF90
                                  Function 0040B783 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                  • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Init_thread_footer__onexit
                                  • String ID: [End of clipboard]$[Text copied to clipboard]$ mG
                                  • API String ID: 1881088180-2322839566
                                  • Opcode ID: 811cdfe000e459d503bb944029386f8ceaa377eb4ffdcb54278a65b681284296
                                  • Instruction ID: 5c7e69c9d376070a9f10adc198010d279a990252db190bacd7f595afc81a80c0
                                  • Opcode Fuzzy Hash: 811cdfe000e459d503bb944029386f8ceaa377eb4ffdcb54278a65b681284296
                                  • Instruction Fuzzy Hash: B5216D31A102198ACB14FBA6D8929EDB375AF54318F10403FE506771E2EF7C6D4ACA8C
                                  Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                  • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                  Strings
                                  • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                  • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExistsFilePath
                                  • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                  • API String ID: 1174141254-1980882731
                                  • Opcode ID: 8e16928b384ae0ce72e815ae57c22294848a02c61a8a71f4ba9d785bccdf6d95
                                  • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                  • Opcode Fuzzy Hash: 8e16928b384ae0ce72e815ae57c22294848a02c61a8a71f4ba9d785bccdf6d95
                                  • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                  Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                  • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                  Strings
                                  • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                  • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExistsFilePath
                                  • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                  • API String ID: 1174141254-1980882731
                                  • Opcode ID: 3001d16f89ba5f9bfed8131fc8dfd9e41104078c7e185fc4d6da829b92f4ee01
                                  • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                  • Opcode Fuzzy Hash: 3001d16f89ba5f9bfed8131fc8dfd9e41104078c7e185fc4d6da829b92f4ee01
                                  • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                  Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateThread.KERNEL32(00000000,00000000,0040A2B8,00475100,00000000,00000000), ref: 0040A239
                                  • CreateThread.KERNEL32(00000000,00000000,0040A2A2,00475100,00000000,00000000), ref: 0040A249
                                  • CreateThread.KERNEL32(00000000,00000000,0040A2C4,00475100,00000000,00000000), ref: 0040A255
                                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00475100), ref: 0040B1AD
                                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateThread$LocalTimewsprintf
                                  • String ID: Offline Keylogger Started
                                  • API String ID: 465354869-4114347211
                                  • Opcode ID: 92393599314cdac243db22048625a744874d745818ca257d105f9e1d10550b18
                                  • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                  • Opcode Fuzzy Hash: 92393599314cdac243db22048625a744874d745818ca257d105f9e1d10550b18
                                  • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                  Function 0216B406 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(?,Offline Keylogger Started,00475100), ref: 0216B414
                                  • wsprintfW.USER32 ref: 0216B495
                                    • Part of subcall function 0216A8D8: SetEvent.KERNEL32(00000000,?,00000000,0216B4AC,00000000), ref: 0216A904
                                  Strings
                                  • [%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0216B41D
                                  • Offline Keylogger Started, xrefs: 0216B40D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EventLocalTimewsprintf
                                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started
                                  • API String ID: 1497725170-184404310
                                  • Opcode ID: f9526eb5d856589d90c83fc652210ce489dd7a7d01c7ea913962da3ca4376f3a
                                  • Instruction ID: db1f4207424c7358522ce0ed564979d4b95a1daa29434964841f2a85a0c0abab
                                  • Opcode Fuzzy Hash: f9526eb5d856589d90c83fc652210ce489dd7a7d01c7ea913962da3ca4376f3a
                                  • Instruction Fuzzy Hash: AA115476444118AECB18FB54EC548FF77BEEE48311B00012EF94262090EF785A95CBA8
                                  Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00475100), ref: 0040B1AD
                                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  • CreateThread.KERNEL32(00000000,00000000,0040A2A2,?,00000000,00000000), ref: 0040AFA9
                                  • CreateThread.KERNEL32(00000000,00000000,0040A2C4,?,00000000,00000000), ref: 0040AFB5
                                  • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateThread$LocalTime$wsprintf
                                  • String ID: Online Keylogger Started
                                  • API String ID: 112202259-1258561607
                                  • Opcode ID: cb9a29855c8325d0197d48755fee34e9bc97ff6ac40042635dd16319aee925ad
                                  • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                  • Opcode Fuzzy Hash: cb9a29855c8325d0197d48755fee34e9bc97ff6ac40042635dd16319aee925ad
                                  • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                  Function 0044BDEC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNEL32(00000000,00000000,0040F3F6,?,0044BD0A,0040F3F6,0046EBC0,0000000C), ref: 0044BE42
                                  • GetLastError.KERNEL32(?,0044BD0A,0040F3F6,0046EBC0,0000000C), ref: 0044BE4C
                                  • __dosmaperr.LIBCMT ref: 0044BE77
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseErrorHandleLast__dosmaperr
                                  • String ID: pBi
                                  • API String ID: 2583163307-1569801529
                                  • Opcode ID: ab3bdfcabf878abbb2a2aeea4d5a33dbce79a0e4a90767e54580a22618b404bc
                                  • Instruction ID: c640735ad7e51643fe6b0a0a71fefea3e0d0f945221813f090adf85c72c27ea1
                                  • Opcode Fuzzy Hash: ab3bdfcabf878abbb2a2aeea4d5a33dbce79a0e4a90767e54580a22618b404bc
                                  • Instruction Fuzzy Hash: AC01483260066866E624623858457BF6789CBC2739F35022FFE18872C3DF6CCC8181D9
                                  Function 021AC053 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNEL32(00000000,00000000,02195B7E,?,021ABF71,02195B7E,0046EBC0,0000000C), ref: 021AC0A9
                                  • GetLastError.KERNEL32(?,021ABF71,02195B7E,0046EBC0,0000000C), ref: 021AC0B3
                                  • __dosmaperr.LIBCMT ref: 021AC0DE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseErrorHandleLast__dosmaperr
                                  • String ID: pBi
                                  • API String ID: 2583163307-1569801529
                                  • Opcode ID: ab3bdfcabf878abbb2a2aeea4d5a33dbce79a0e4a90767e54580a22618b404bc
                                  • Instruction ID: cb47e8393996452dff64201d12cf49f648abb61c6874c78a321fee60437affbf
                                  • Opcode Fuzzy Hash: ab3bdfcabf878abbb2a2aeea4d5a33dbce79a0e4a90767e54580a22618b404bc
                                  • Instruction Fuzzy Hash: 30018E3E6802105AD6252234DF967BF775A4F8AB34F35022FEC18C71D1DF6188C086D0
                                  Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(?), ref: 00404F81
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                  • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0
                                  Strings
                                  • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Create$EventLocalThreadTime
                                  • String ID: KeepAlive | Enabled | Timeout:
                                  • API String ID: 2532271599-1507639952
                                  • Opcode ID: 751c2b6d3b449d78c9dea02e9c5bdf2dbf871d3bedc1a6577ce5ae8c27f0735b
                                  • Instruction ID: 4df055e7b18788cc2e6f6b282d58d8d1f041b9f055d7d752625e2c9c7705ec55
                                  • Opcode Fuzzy Hash: 751c2b6d3b449d78c9dea02e9c5bdf2dbf871d3bedc1a6577ce5ae8c27f0735b
                                  • Instruction Fuzzy Hash: D7110A71900385BAC720A7779C0DEABBFACDBD2714F04046FF54162291D6B89445CBBA
                                  Function 021651B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(?), ref: 021651E8
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02165234
                                  • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 02165247
                                  Strings
                                  • KeepAlive | Enabled | Timeout: , xrefs: 021651FB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Create$EventLocalThreadTime
                                  • String ID: KeepAlive | Enabled | Timeout:
                                  • API String ID: 2532271599-1507639952
                                  • Opcode ID: 265870ca6a49f1cfdf3a79916e036cd98acee69504672a74e3c9871262499b03
                                  • Instruction ID: 2dcd3bbc6de3af9c796a7872d7b1fceb84c0e6f1272e6bc83186750a84b09789
                                  • Opcode Fuzzy Hash: 265870ca6a49f1cfdf3a79916e036cd98acee69504672a74e3c9871262499b03
                                  • Instruction Fuzzy Hash: BC11E331844380BEC720BB669C0CBBFBFBA9BD6710F44405EE84252150DB749454CBA2
                                  Function 0216779F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 021677C3
                                  • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 02167824
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Object_wcslen
                                  • String ID: $${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                  • API String ID: 240030777-2784132835
                                  • Opcode ID: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                  • Instruction ID: c0776ae9b793565c7f10a7ffa80f52ea392f9d388317b8a0f89883d078652edc
                                  • Opcode Fuzzy Hash: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                  • Instruction Fuzzy Hash: 1B118A71D80214BBD710EAD59849AEEF7BCDB54724F150066EC04E2280EB789A45CAA6
                                  Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                  • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: CryptUnprotectData$crypt32
                                  • API String ID: 2574300362-2380590389
                                  • Opcode ID: b88f03605d096aaa2152f3ebf69acb5fe9b1e31435291808458d2189a413eed3
                                  • Instruction ID: 345ee013d26fc91f442c93551971226c597518e80cf45168a44a65f4e30a47e9
                                  • Opcode Fuzzy Hash: b88f03605d096aaa2152f3ebf69acb5fe9b1e31435291808458d2189a413eed3
                                  • Instruction Fuzzy Hash: 1D01F575A00215BBCB18CFAC8C409AF7BB8EB85300F0041BEE94AE3381DA34AD00CB94
                                  Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                  • CloseHandle.KERNEL32(?), ref: 004051CA
                                  • SetEvent.KERNEL32(?), ref: 004051D9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEventHandleObjectSingleWait
                                  • String ID: Connection Timeout
                                  • API String ID: 2055531096-499159329
                                  • Opcode ID: 7996a63852ac8a0a2829cd2f8d54d744873183095a2b92b05d9651879fb4a702
                                  • Instruction ID: 0252d74fe4ede7253ae2eff4a1d35319ac7a80acec65437dc80477e116da68d3
                                  • Opcode Fuzzy Hash: 7996a63852ac8a0a2829cd2f8d54d744873183095a2b92b05d9651879fb4a702
                                  • Instruction Fuzzy Hash: 4A01F530A40F00AFD7216F368D8642BBFE0EB00306704093FE68356AE2D6789800CF89
                                  Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                  Download Yara Rule
                                  APIs
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Exception@8Throw
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2005118841-1866435925
                                  • Opcode ID: e1bdae5122e534e22181349a294e5dd283a76e5484cb2b4dd901af9da0e19607
                                  • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                  • Opcode Fuzzy Hash: e1bdae5122e534e22181349a294e5dd283a76e5484cb2b4dd901af9da0e19607
                                  • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                  Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                    • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                    • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                  • String ID: bad locale name
                                  • API String ID: 3628047217-1405518554
                                  • Opcode ID: 0e967f5f4c551f764c071b3c3fecd2d0a166eebc37c8bba363630da575d49789
                                  • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                  • Opcode Fuzzy Hash: 0e967f5f4c551f764c071b3c3fecd2d0a166eebc37c8bba363630da575d49789
                                  • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                  Function 02173AB6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 02173AC1
                                  • RegSetValueExW.ADVAPI32(?,?,00000000,00000001,00000000,00000000,00475300,?,0216FAC5,pth_unenc,0i), ref: 02173AEF
                                  • RegCloseKey.ADVAPI32(?,?,0216FAC5,pth_unenc,0i), ref: 02173AFA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateValue
                                  • String ID: pth_unenc
                                  • API String ID: 1818849710-4028850238
                                  • Opcode ID: 4130c156bc7d53422bd274e0503f6f5712380358a0a777b589ce21756e596352
                                  • Instruction ID: 6e675b7dc1f39f8ae7f2028255e421d5337491670665312976d24f7f89371e9f
                                  • Opcode Fuzzy Hash: 4130c156bc7d53422bd274e0503f6f5712380358a0a777b589ce21756e596352
                                  • Instruction Fuzzy Hash: 97F04971584218BBDF10ABA0EC49EFE776CEB44B51F004964FD0596160EB329E14DAA0
                                  Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                  • RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EF0,00000000), ref: 004137E1
                                  • RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EF0,00000000,?,00408798,00000001), ref: 004137EC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateValue
                                  • String ID: Control Panel\Desktop
                                  • API String ID: 1818849710-27424756
                                  • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                  • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                  • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                  • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                  Function 02173A11 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 02173A20
                                  • RegSetValueExA.ADVAPI32(0046612C,0046CBC8,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0217CDA9,0046CBC8,0046612C,00000001,00474EF0,00000000), ref: 02173A48
                                  • RegCloseKey.ADVAPI32(0046612C,?,?,0217CDA9,0046CBC8,0046612C,00000001,00474EF0,00000000,?,021689FF,00000001), ref: 02173A53
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateValue
                                  • String ID: Control Panel\Desktop
                                  • API String ID: 1818849710-27424756
                                  • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                  • Instruction ID: 28a0f67ae3f479665e6c6f122d968990e1319212745ae2ed0dc68b389e3343cb
                                  • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                  • Instruction Fuzzy Hash: 03F06D72480218FFCF00AFA0ED49EFE376DEF44B51F104664BD0AA6061EB319E14EA90
                                  Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                  • ShowWindow.USER32(00000009), ref: 00416C9C
                                  • SetForegroundWindow.USER32 ref: 00416CA8
                                    • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475348), ref: 0041CE35
                                    • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                    • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                    • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                  • String ID: !D@
                                  • API String ID: 186401046-604454484
                                  • Opcode ID: 299c7e2eac24c2f7a13a1ef740d02627241d5152881cd92f93c311e1267b1ee5
                                  • Instruction ID: b1493b377ee00385912555b1a5c9642ee05cd41efde33f67b603c236d656be44
                                  • Opcode Fuzzy Hash: 299c7e2eac24c2f7a13a1ef740d02627241d5152881cd92f93c311e1267b1ee5
                                  • Instruction Fuzzy Hash: 81F03A70148340AAD720AF65ED55BBABB69EB54301F01487BFA09C20F2DB389C94869E
                                  Function 02176ECF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateThread.KERNEL32(00000000,00000000,0041D4EE,00000000,00000000,00000000), ref: 02176EE9
                                  • ShowWindow.USER32(00000009), ref: 02176F03
                                  • SetForegroundWindow.USER32 ref: 02176F0F
                                    • Part of subcall function 0217D093: AllocConsole.KERNEL32 ref: 0217D09C
                                    • Part of subcall function 0217D093: GetConsoleWindow.KERNEL32 ref: 0217D0A2
                                    • Part of subcall function 0217D093: ShowWindow.USER32(00000000,00000000), ref: 0217D0B5
                                    • Part of subcall function 0217D093: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0217D0DA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                  • String ID: !D@
                                  • API String ID: 186401046-604454484
                                  • Opcode ID: 299c7e2eac24c2f7a13a1ef740d02627241d5152881cd92f93c311e1267b1ee5
                                  • Instruction ID: 71115949e1418d6b563f196d1730bd8c0783c89c2e30f1a0f2d2eaf8805ccfad
                                  • Opcode Fuzzy Hash: 299c7e2eac24c2f7a13a1ef740d02627241d5152881cd92f93c311e1267b1ee5
                                  • Instruction Fuzzy Hash: EFF089701C8240EFD324EF64ED58BBBB769DB94301F40443AED09C20A1DF305C55CA59
                                  Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteShell
                                  • String ID: /C $cmd.exe$open
                                  • API String ID: 587946157-3896048727
                                  • Opcode ID: ba5b8ac7040460dc6065eceb26c8d4705fa8e3e7fffb1ef49e463b9dc02157a1
                                  • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                  • Opcode Fuzzy Hash: ba5b8ac7040460dc6065eceb26c8d4705fa8e3e7fffb1ef49e463b9dc02157a1
                                  • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                  Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                  • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: GetCursorInfo$User32.dll
                                  • API String ID: 1646373207-2714051624
                                  • Opcode ID: 614bc808d894a367532beb2bc66ad03cac91d94fb46ece2cb469b05dff719b88
                                  • Instruction ID: dd969ba971dbaa29921178884ad428293cf5128bfb63f122c38d39e9abecacc1
                                  • Opcode Fuzzy Hash: 614bc808d894a367532beb2bc66ad03cac91d94fb46ece2cb469b05dff719b88
                                  • Instruction Fuzzy Hash: 3EB09B74541740FB8F102B745D4D5153525A604703B100475F041D6151D7B584009A1E
                                  Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                  • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: GetLastInputInfo$User32.dll
                                  • API String ID: 2574300362-1519888992
                                  • Opcode ID: 18b660a6896881f55a37715fd795c0b5131e5868884107d4762215e755f28e2f
                                  • Instruction ID: c0691e7ba4e037ba5be4177d0f13c81de84985c40ff74287bb3597843e96be7a
                                  • Opcode Fuzzy Hash: 18b660a6896881f55a37715fd795c0b5131e5868884107d4762215e755f28e2f
                                  • Instruction Fuzzy Hash: 5FB092B8580340FBCB002BA0AD4E91E3A64AA18703B1008ABF041D21A1EBB888009F2F
                                  Function 0044A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __alldvrm$_strrchr
                                  • String ID:
                                  • API String ID: 1036877536-0
                                  • Opcode ID: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                  • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                  • Opcode Fuzzy Hash: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                  • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                  Function 021AA2EB Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __alldvrm$_strrchr
                                  • String ID:
                                  • API String ID: 1036877536-0
                                  • Opcode ID: 741cce58a8cf82a0672f857150eda12be5e673117a3cfe047addc8b2d3899a0b
                                  • Instruction ID: 40b5c13df9fa77567d3cd4760dd4009eddb077690e4ec556c5320a73d6292795
                                  • Opcode Fuzzy Hash: 741cce58a8cf82a0672f857150eda12be5e673117a3cfe047addc8b2d3899a0b
                                  • Instruction Fuzzy Hash: 34A18B7AA803869FD726CF28C8A07BEFBF5EF55310F1841ADE9959B281C3349941CB54
                                  Function 0217C987 Relevance: 6.2, APIs: 4, Instructions: 214registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000002,0046CAF0,00000000,00020019,?), ref: 0217C9A9
                                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0217C9ED
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EnumOpen
                                  • String ID:
                                  • API String ID: 3231578192-0
                                  • Opcode ID: 8834d76765b8d9aa2aae2e6c3e4fc44c7e31d4deaeca63b3a5fa155628fd0460
                                  • Instruction ID: 83302067f5ceb2ebecf24a06f7a90460e90edb9d07da0e021604fe92c0df654d
                                  • Opcode Fuzzy Hash: 8834d76765b8d9aa2aae2e6c3e4fc44c7e31d4deaeca63b3a5fa155628fd0460
                                  • Instruction Fuzzy Hash: 98811E311583459FD325EB20D854EFFB3E9EFD4700F10492EA99A82190EF71AA59CF92
                                  Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                  • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                  • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                  • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                  Function 021B6F01 Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                  • Instruction ID: f6c90c2450afc485642333bd38043424b1f306232e074c6d4a126f1b91f01b0c
                                  • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                  • Instruction Fuzzy Hash: 9A412D36EC41406EDB277B788C54BEE7A7AEF56370F14412AF414D61D0EB7489418AD1
                                  Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                  • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                  • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                  • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                  Function 021A2AB8 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                  • Instruction ID: fece32e18e424add61ae9ccdb0ac627175293def1139a12aec84e7e91191b325
                                  • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                  • Instruction Fuzzy Hash: 35411976A80304AFD7399F78CC50BAABBFAEF88710F10453AE915DB680E7759501CB80
                                  Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F60), ref: 00404DB3
                                  • CreateThread.KERNEL32(00000000,00000000,?,00474F08,00000000,00000000), ref: 00404DC7
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                  • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00404DDB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                  • String ID:
                                  • API String ID: 3360349984-0
                                  • Opcode ID: 77a6d032992f3495e2e52a01d2ead9a1ebcb79a8041a0f526cc04fc7fe31482d
                                  • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                  • Opcode Fuzzy Hash: 77a6d032992f3495e2e52a01d2ead9a1ebcb79a8041a0f526cc04fc7fe31482d
                                  • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                  Function 02164F2A Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F60), ref: 0216501A
                                  • CreateThread.KERNEL32(00000000,00000000,?,00474F08,00000000,00000000), ref: 0216502E
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 02165039
                                  • CloseHandle.KERNEL32(00000000,?,00000000), ref: 02165042
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                  • String ID:
                                  • API String ID: 3360349984-0
                                  • Opcode ID: 77a6d032992f3495e2e52a01d2ead9a1ebcb79a8041a0f526cc04fc7fe31482d
                                  • Instruction ID: 0f41e728721002c7df9b39878df9149cf8812efa01659d7d5418a7258198dad8
                                  • Opcode Fuzzy Hash: 77a6d032992f3495e2e52a01d2ead9a1ebcb79a8041a0f526cc04fc7fe31482d
                                  • Instruction Fuzzy Hash: 4D419171188341AFC714EB60DD58EBFB7EEAF95711F44091DF892921A0EB34D928CB62
                                  Function 021B1413 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000006,?,00000000,00000000,?,?,?,?,00000001,?,00000006,00000001,?,?), ref: 021B1460
                                  • MultiByteToWideChar.KERNEL32(?,00000001,00000006,?,00000000,?,?,?,?,00000001,?,00000006,00000001,?,?,?), ref: 021B14E9
                                  • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,00000006,00000001,?,?,?,00000002,?), ref: 021B14FB
                                  • __freea.LIBCMT ref: 021B1504
                                    • Part of subcall function 021A641F: RtlAllocateHeap.NTDLL(00000000,021955B0,?), ref: 021A6451
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                  • String ID:
                                  • API String ID: 2652629310-0
                                  • Opcode ID: 29fbf7857a96745c538d0cac7db2b43cff4be5d8612efa81122893b79f6f153c
                                  • Instruction ID: 5cac00d126be373201d0049ecacadca0d0f5546a8667b387ab9f19fca78bad86
                                  • Opcode Fuzzy Hash: 29fbf7857a96745c538d0cac7db2b43cff4be5d8612efa81122893b79f6f153c
                                  • Instruction Fuzzy Hash: 7531AD72A4020AAFDF26CFA4CC54EEE7BB5EF45314F064168EC09D6290EB35C951CBA0
                                  Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                  • Cleared browsers logins and cookies., xrefs: 0040C130
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                  • API String ID: 3472027048-1236744412
                                  • Opcode ID: 0d45b63c12cc5d8728377751c7dadbc0437779309672a0b5bda15efafb17f866
                                  • Instruction ID: a79ddf3c6a5b8d59d799e992b07df0540e48cd861b142758bc1ef4dabba95ae9
                                  • Opcode Fuzzy Hash: 0d45b63c12cc5d8728377751c7dadbc0437779309672a0b5bda15efafb17f866
                                  • Instruction Fuzzy Hash: F631A904648381EDD6116BF514967AB7B824E53744F0886BFB8C8273C3DABA4808C75F
                                  Function 00412716 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 0041374F
                                    • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00413768
                                    • Part of subcall function 00413733: RegCloseKey.ADVAPI32(?), ref: 00413773
                                  • Sleep.KERNEL32(00000BB8), ref: 004127B5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQuerySleepValue
                                  • String ID: 0i$HSG$exepath
                                  • API String ID: 4119054056-2092409851
                                  • Opcode ID: fa4264ab7ee0f56fbb1436d7a8ba00959a1c70ff335175d8111d710f019c8f65
                                  • Instruction ID: 7f535f989f64e3217726da85717e45219a172cbdcd35e6ae3f2d68e0f7be43ad
                                  • Opcode Fuzzy Hash: fa4264ab7ee0f56fbb1436d7a8ba00959a1c70ff335175d8111d710f019c8f65
                                  • Instruction Fuzzy Hash: 1F21D8A1B043042BD604B7365D4AAAF724D8B80358F40897FBA56E73D3EEBD9C45826D
                                  Function 02165706 Relevance: 6.1, APIs: 4, Instructions: 77windowmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetEvent.KERNEL32(?,?), ref: 02165726
                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 021657D6
                                  • TranslateMessage.USER32(?), ref: 021657E5
                                  • DispatchMessageA.USER32(?), ref: 021657F0
                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F88), ref: 021658A8
                                  • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 021658E0
                                    • Part of subcall function 02164D08: send.WS2_32(?,00000000,00000000,00000000), ref: 02164D9D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                  • String ID:
                                  • API String ID: 2956720200-0
                                  • Opcode ID: a5afae74d9d975d3734efbc5b2fed6f3b740a1721f9b0f61cfb34277215eac2c
                                  • Instruction ID: 84d02bf1c0f2967c7adf866c79bd823a6c578e78da1c05b4b678c61d4d87b38c
                                  • Opcode Fuzzy Hash: a5afae74d9d975d3734efbc5b2fed6f3b740a1721f9b0f61cfb34277215eac2c
                                  • Instruction Fuzzy Hash: 80216075544301EBCB24EB74CD4D8BE7BA9AB85700F840929F91293195DB34D915CB52
                                  Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                    • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                    • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                  • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                  • Sleep.KERNEL32(00000064), ref: 0040A638
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Window$SleepText$ForegroundLength
                                  • String ID: [ $ ]
                                  • API String ID: 3309952895-93608704
                                  • Opcode ID: 69f93e903a5a9c6d889e9b85f3e5b234b319eb86257ec0e35b47b15ed479ba79
                                  • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                  • Opcode Fuzzy Hash: 69f93e903a5a9c6d889e9b85f3e5b234b319eb86257ec0e35b47b15ed479ba79
                                  • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                  Function 0217AF70 Relevance: 6.1, APIs: 4, Instructions: 67serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002), ref: 0217AF80
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000002), ref: 0217AF94
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0217AFA1
                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0217AFD6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$Open$ChangeCloseConfigHandleManager
                                  • String ID:
                                  • API String ID: 110783151-0
                                  • Opcode ID: 6768d04de6bba430942b0409d96819e7e0e6ab90830dc8ea3fc78fe1771b3c5b
                                  • Instruction ID: 843278fdb93900d63379ddcbff45c912ddf59ddb09af579fea5b13a630c65da8
                                  • Opcode Fuzzy Hash: 6768d04de6bba430942b0409d96819e7e0e6ab90830dc8ea3fc78fe1771b3c5b
                                  • Instruction Fuzzy Hash: CF01F5B21C9224BAD6115B399C4DEBF3B7CDF82672F000325FA25921D1DB64CE05D5A5
                                  Function 0041B890 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: SystemTimes$Sleep__aulldiv
                                  • String ID:
                                  • API String ID: 188215759-0
                                  • Opcode ID: b0079fa80277cdab6546f5ab837447f57eff53afd9c3e38f4d74f1bcd6e8dbc3
                                  • Instruction ID: 34fec0fc5de9b46989c99fc374850f6e4511d06c61be9fc580282ef5e3b3a0c9
                                  • Opcode Fuzzy Hash: b0079fa80277cdab6546f5ab837447f57eff53afd9c3e38f4d74f1bcd6e8dbc3
                                  • Instruction Fuzzy Hash: 4A1142B35043446BC304FBB5CD85DEF77ACEBC4359F040A3EF64A82061EE29EA498695
                                  Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                  • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                  • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                  • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                  Function 0217BAF7 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: SystemTimes$Sleep__aulldiv
                                  • String ID:
                                  • API String ID: 188215759-0
                                  • Opcode ID: 9fa52812dddae464349498c8bb160a466db767b7dadd9130175d79420bf3a38a
                                  • Instruction ID: 64d20b625f5e7ba8bc76a1d2ffc2cd29e3962dc1929f5e0a0d508fe4b781a1da
                                  • Opcode Fuzzy Hash: 9fa52812dddae464349498c8bb160a466db767b7dadd9130175d79420bf3a38a
                                  • Instruction Fuzzy Hash: 39113D739483446FC355FAB4CC85DAB7BADEAC5356F044A39F94682050EF24EB088AA1
                                  Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                  • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                  • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                  • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                  Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                  • GetLastError.KERNEL32(?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad$ErrorLast
                                  • String ID:
                                  • API String ID: 3177248105-0
                                  • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                  • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                  • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                  • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                  Function 021A884D Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,021A87F4,?,00000000,00000000,00000000,?,021A8B20,00000006,0045A3E4), ref: 021A887F
                                  • GetLastError.KERNEL32(?,021A87F4,?,00000000,00000000,00000000,?,021A8B20,00000006,0045A3E4,0045F170,0045F178,00000000,00000364,?,021A85CE), ref: 021A888B
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,021A87F4,?,00000000,00000000,00000000,?,021A8B20,00000006,0045A3E4,0045F170,0045F178,00000000), ref: 021A8899
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad$ErrorLast
                                  • String ID:
                                  • API String ID: 3177248105-0
                                  • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                  • Instruction ID: e616f4fd0fdaa4bc87463f966e31db3ccf84403ec39a1b6f289f95d265f4fcbb
                                  • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                  • Instruction Fuzzy Hash: 3E01FC3A646322EBDB214F69DC54A577758AF44B61F130530F915D3141DF20D800C7E4
                                  Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                  • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C543
                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C568
                                  • CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E84), ref: 0041C576
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleReadSize
                                  • String ID:
                                  • API String ID: 3919263394-0
                                  • Opcode ID: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                  • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                  • Opcode Fuzzy Hash: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                  • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                  Function 0217C77D Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02164396,00465E84), ref: 0217C796
                                  • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,02164396,00465E84), ref: 0217C7AA
                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,02164396,00465E84), ref: 0217C7CF
                                  • CloseHandle.KERNEL32(00000000,?,00000000,02164396,00465E84), ref: 0217C7DD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleReadSize
                                  • String ID:
                                  • API String ID: 3919263394-0
                                  • Opcode ID: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                  • Instruction ID: 2149f1aa921cae1ab41a43e6ed4240759f6559112aac77b80a5393f1be92a8f4
                                  • Opcode Fuzzy Hash: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                  • Instruction Fuzzy Hash: 28F062B5281218BFE6141B24AC88FBF37ADDBCA6A6F10062EFD02921C1DB258D055575
                                  Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                    • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                  • _UnwindNestedFrames.LIBCMT ref: 00439911
                                  • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                  • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                  • String ID:
                                  • API String ID: 2633735394-0
                                  • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                  • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                  • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                  • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                  Function 0217D093 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • AllocConsole.KERNEL32 ref: 0217D09C
                                  • GetConsoleWindow.KERNEL32 ref: 0217D0A2
                                  • ShowWindow.USER32(00000000,00000000), ref: 0217D0B5
                                  • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0217D0DA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Console$Window$AllocOutputShow
                                  • String ID:
                                  • API String ID: 4067487056-0
                                  • Opcode ID: 4ac208d8a2a9dd681627466f3850d62ccb8bf7ad48dd9727624a0f6f50ade13e
                                  • Instruction ID: 0b4b82b2d031b45fda5a0cccc8e287c5803d0899f7d3d0af2d6c25410c5195d1
                                  • Opcode Fuzzy Hash: 4ac208d8a2a9dd681627466f3850d62ccb8bf7ad48dd9727624a0f6f50ade13e
                                  • Instruction Fuzzy Hash: CF0144759C0308AFDA10F7F09D4AF9D77AD9B44B01F600426BA48A70C1EB7D9D148A5A
                                  Function 02199B4A Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 02199B61
                                    • Part of subcall function 0219A199: ___BuildCatchObjectHelper.LIBVCRUNTIME ref: 0219A1C8
                                    • Part of subcall function 0219A199: ___AdjustPointer.LIBCMT ref: 0219A1E3
                                  • _UnwindNestedFrames.LIBCMT ref: 02199B78
                                  • ___FrameUnwindToState.LIBVCRUNTIME ref: 02199B8A
                                  • CallCatchBlock.LIBVCRUNTIME ref: 02199BAE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                                  • String ID:
                                  • API String ID: 2901542994-0
                                  • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                  • Instruction ID: 6b0dcaefa65b787f231d11df4a238f5b4c2aa7c5a618bef25474a0fb2047cb13
                                  • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                  • Instruction Fuzzy Hash: 7A01E532440149BFCF225F55CC04EEE3BBAEF88754F158118FA1966120D776E861DFA4
                                  Function 0217AEA2 Relevance: 6.0, APIs: 4, Instructions: 45serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040), ref: 0217AEB1
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040), ref: 0217AEC5
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0217AED2
                                  • ControlService.ADVAPI32(00000000,00000002,?), ref: 0217AEE1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$Open$CloseControlHandleManager
                                  • String ID:
                                  • API String ID: 1243734080-0
                                  • Opcode ID: 09157ef8eb8da34f78b0ee302db87b690a61261d17d0987fe2a8bb4e8e1c1ff6
                                  • Instruction ID: 0302adc8fe8327e3ccad349b33171b6a6a7c64cd2efe20cdce733c454192be91
                                  • Opcode Fuzzy Hash: 09157ef8eb8da34f78b0ee302db87b690a61261d17d0987fe2a8bb4e8e1c1ff6
                                  • Instruction Fuzzy Hash: 8AF0C231540228ABD6106B249C49EBF3B6CDF85A52F000425FE0992181DF38CD4699E4
                                  Function 0217AF09 Relevance: 6.0, APIs: 4, Instructions: 45serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040), ref: 0217AF18
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040), ref: 0217AF2C
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0217AF39
                                  • ControlService.ADVAPI32(00000000,00000003,?), ref: 0217AF48
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$Open$CloseControlHandleManager
                                  • String ID:
                                  • API String ID: 1243734080-0
                                  • Opcode ID: b26bf3762530a856ab6d8755ba7de06de94296f9b4710ed3a1167deef3457c09
                                  • Instruction ID: 92163fe09cea9510e2ecb37c87d12b009154202892501d4f06180bee34e233e6
                                  • Opcode Fuzzy Hash: b26bf3762530a856ab6d8755ba7de06de94296f9b4710ed3a1167deef3457c09
                                  • Instruction Fuzzy Hash: BAF0F672540228BFD7116F249C48EBF3B7CDF85A52F000065FE0992181DB38CE059AF8
                                  Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                  • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                  • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                  • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MetricsSystem
                                  • String ID:
                                  • API String ID: 4116985748-0
                                  • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                  • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                  • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                  • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                  Function 0217AD42 Relevance: 6.0, APIs: 4, Instructions: 39serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0217A998,00000000), ref: 0217AD4B
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0217A998,00000000), ref: 0217AD60
                                  • CloseServiceHandle.ADVAPI32(00000000,?,0217A998,00000000), ref: 0217AD6D
                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0217A998,00000000), ref: 0217AD78
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$Open$CloseHandleManagerStart
                                  • String ID:
                                  • API String ID: 2553746010-0
                                  • Opcode ID: ef3c0b856a1de7aadcfa328643844e0c859a8d8812f908c01dc675a5c8606680
                                  • Instruction ID: c826324f311270e309e0a7d78baa89f1f44da1be40861ba57cc325f0497d9498
                                  • Opcode Fuzzy Hash: ef3c0b856a1de7aadcfa328643844e0c859a8d8812f908c01dc675a5c8606680
                                  • Instruction Fuzzy Hash: 89F08271181324AFD2116B209C88DFF3B6CDFC5BA2B000829F905921919F68CD49A9B5
                                  Function 0216534B Relevance: 6.0, APIs: 4, Instructions: 35synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474F08,021650E1,00000001,?,00000000,00474F08,02164F0F,00000000,00000000,00000000,00000000), ref: 02165387
                                  • SetEvent.KERNEL32(?,?,00000000,00474F08,02164F0F,00000000,00000000,00000000,00000000), ref: 02165393
                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00474F08,02164F0F,00000000,00000000,00000000,00000000), ref: 0216539E
                                  • CloseHandle.KERNEL32(?,?,00000000,00474F08,02164F0F,00000000,00000000,00000000,00000000), ref: 021653A7
                                    • Part of subcall function 0217B7E7: GetLocalTime.KERNEL32(00000000), ref: 0217B801
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                  • String ID:
                                  • API String ID: 2993684571-0
                                  • Opcode ID: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                                  • Instruction ID: e5f3ef60e2b2070100b543d2fca0e17b6bd2acbfba7fdd1746d6055862542149
                                  • Opcode Fuzzy Hash: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                                  • Instruction Fuzzy Hash: EEF0B471884300FFDB113B748D0EA7F7FA5AB06711F04096DF892816A1D7758860DB96
                                  Function 0217D050 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStdHandle.KERNEL32(000000F5), ref: 0217D05A
                                  • GetConsoleScreenBufferInfo.KERNEL32(00000000,?), ref: 0217D067
                                  • SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0217D074
                                  • SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0217D087
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Console$AttributeText$BufferHandleInfoScreen
                                  • String ID:
                                  • API String ID: 3024135584-0
                                  • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                  • Instruction ID: 991208dc25b5cfb39d1092b325c0c228859d624d0f4165d928b23612c7919a55
                                  • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                  • Instruction Fuzzy Hash: A7E0DF3290031AEBE30037B6EC8DCBF7B7CE784623B000266FA06804C3AE248C00C6B5
                                  Function 0217B7A0 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindResourceA.KERNEL32(0046CA24,0000000A,00000000), ref: 0217B7B1
                                  • LoadResource.KERNEL32(00000000,?,?,0216F680,00000000), ref: 0217B7C5
                                  • LockResource.KERNEL32(00000000,?,?,0216F680,00000000), ref: 0217B7CC
                                  • SizeofResource.KERNEL32(00000000,?,?,0216F680,00000000), ref: 0217B7DB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Resource$FindLoadLockSizeof
                                  • String ID:
                                  • API String ID: 3473537107-0
                                  • Opcode ID: 7e39093ddf5dcb720cd3caccf1e1277dc2c4d9143844da5a4d70bf483eb1c798
                                  • Instruction ID: 97018402a79bc8673353f56fe7ac1ae83e75779c530019731b5f175d2536cec9
                                  • Opcode Fuzzy Hash: 7e39093ddf5dcb720cd3caccf1e1277dc2c4d9143844da5a4d70bf483eb1c798
                                  • Instruction Fuzzy Hash: AAE04F36200B22EBEB211FB1AC8CD46BF39EBC9B673140075FA0582271CB75C840DB58
                                  Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                    • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                  • String ID:
                                  • API String ID: 1761009282-0
                                  • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                  • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                  • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                  • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                  Function 02199218 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 02199218
                                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0219921D
                                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 02199222
                                    • Part of subcall function 0219A721: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0219A732
                                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 02199237
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                  • String ID:
                                  • API String ID: 1761009282-0
                                  • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                  • Instruction ID: 69d0af94373eef8f135056245c0935ed472d9b228b3e34b45146e675a2776b0c
                                  • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                  • Instruction Fuzzy Hash: 80C04C340D51015D2D183AF071213AD23562C537C4B9520C8CD921B5024B1B004FAC73
                                  Function 0219B9F7 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 266COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __aulldvrm
                                  • String ID: +$-
                                  • API String ID: 1302938615-2137968064
                                  • Opcode ID: 4fbe68187eeb69d2e08e741ed5b0e3133476de9ed197204672df6993eaba3c16
                                  • Instruction ID: f4ae517efc2ee18868cb5d17f12cfbcbfe6a8d5069ded80ac2e814f99fb76c5e
                                  • Opcode Fuzzy Hash: 4fbe68187eeb69d2e08e741ed5b0e3133476de9ed197204672df6993eaba3c16
                                  • Instruction Fuzzy Hash: 5D91D370D8D1499FCF24CE69E8906EDBBB1AF4532CF18825AE876A72D4D7309702CB51
                                  Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                  Download Yara Rule
                                  APIs
                                  • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorHandling__start
                                  • String ID: pow
                                  • API String ID: 3213639722-2276729525
                                  • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                  • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                  • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                  • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                  Function 00415B25 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CountEventTick
                                  • String ID: !D@
                                  • API String ID: 180926312-604454484
                                  • Opcode ID: d590242d5a6e93e4689db37b8a52caa0234bed9f0a07aec5c174220ee24dc81b
                                  • Instruction ID: a18c2cf71696728a803f4d48a8d0c2278a59ecc2ec6ff56e3a85b819d46b2ac8
                                  • Opcode Fuzzy Hash: d590242d5a6e93e4689db37b8a52caa0234bed9f0a07aec5c174220ee24dc81b
                                  • Instruction Fuzzy Hash: 4F51B6315082019AC724FB32D852AFF73A5AF94304F50483FF546671E2EF3C5945C68A
                                  Function 02175E28 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTickCount.KERNEL32 ref: 02175E28
                                    • Part of subcall function 0217BDDE: GetLastInputInfo.USER32(?), ref: 0217BDEE
                                    • Part of subcall function 0217BDDE: GetTickCount.KERNEL32 ref: 0217BDF4
                                    • Part of subcall function 0217BD8E: GetForegroundWindow.USER32 ref: 0217BDB0
                                    • Part of subcall function 0217BD8E: GetWindowTextW.USER32(00000000,?,00000100), ref: 0217BDC3
                                    • Part of subcall function 02164D08: send.WS2_32(?,00000000,00000000,00000000), ref: 02164D9D
                                    • Part of subcall function 0216525B: GetLocalTime.KERNEL32(?), ref: 02165297
                                    • Part of subcall function 0216525B: GetLocalTime.KERNEL32(?), ref: 021652EE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CountLocalTickTimeWindow$ForegroundInfoInputLastTextsend
                                  • String ID: !D@$,aF
                                  • API String ID: 1906814977-3317875915
                                  • Opcode ID: f25e0f997932b8693b1c4c6e83166d085095574ffb63d6ea8356f5a6e9a7cf6c
                                  • Instruction ID: 81f64071dd1ae60f2dad1a253bdf8a6360136b0326c06d893e48fe06de85ad6c
                                  • Opcode Fuzzy Hash: f25e0f997932b8693b1c4c6e83166d085095574ffb63d6ea8356f5a6e9a7cf6c
                                  • Instruction Fuzzy Hash: 72410E316C82409FC728FB30E858AFFB3A79FE5700F90482DA95697194EF305A59CE56
                                  Function 021642B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 021642CD
                                    • Part of subcall function 0217BC70: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,021642E3), ref: 0217BC97
                                    • Part of subcall function 0217880A: CloseHandle.KERNEL32(0216435C,?,?,0216435C,00465E84), ref: 02178820
                                    • Part of subcall function 0217880A: CloseHandle.KERNEL32(00465E84,?,?,0216435C,00465E84), ref: 02178829
                                    • Part of subcall function 0217C77D: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02164396,00465E84), ref: 0217C796
                                  • Sleep.KERNEL32(000000FA,00465E84), ref: 0216439F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                  • String ID: @NG
                                  • API String ID: 368326130-161079914
                                  • Opcode ID: 115d3ed6b1741adb512821b11b245dc659c1e2162bd541144790ef051353569d
                                  • Instruction ID: 5aa792a130c9cd4a50727cd927685a046be2a8256d5fe9fc5d057c6f856041ab
                                  • Opcode Fuzzy Hash: 115d3ed6b1741adb512821b11b245dc659c1e2162bd541144790ef051353569d
                                  • Instruction Fuzzy Hash: BE312F31A942189EDB14FBB4EC9D9FE777BAF90300F400169A906A7190EF311E5ACE91
                                  Function 00418ACD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                  Download Yara Rule
                                  APIs
                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418AF9
                                    • Part of subcall function 00418691: 73BE2440.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                  • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                                    • Part of subcall function 00418706: 73BFEFB0.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                    • Part of subcall function 004186B4: 73C05080.GDIPLUS(?,00418BBD), ref: 004186BD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateStream$C05080E2440
                                  • String ID: image/jpeg
                                  • API String ID: 964639938-3785015651
                                  • Opcode ID: 9303b3a98036d401e8cbddb9066c3905d3f6784fff20d009cbf2c37f538b3a2b
                                  • Instruction ID: b1b0a2c635f45e8130f4767810c6fbb161559e0826da6e7acb487c9aae22ef17
                                  • Opcode Fuzzy Hash: 9303b3a98036d401e8cbddb9066c3905d3f6784fff20d009cbf2c37f538b3a2b
                                  • Instruction Fuzzy Hash: 6D316F72504310AFC701EF65C884D6FB7E9EF8A304F00496EF98597251DB7999048B66
                                  Function 02178D34 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                  Download Yara Rule
                                  APIs
                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 02178D60
                                  • SHCreateMemStream.SHLWAPI(00000000), ref: 02178DAD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateStream
                                  • String ID: image/jpeg
                                  • API String ID: 1369699375-3785015651
                                  • Opcode ID: 9303b3a98036d401e8cbddb9066c3905d3f6784fff20d009cbf2c37f538b3a2b
                                  • Instruction ID: 1894dab237ff49217cc768d4026be47d897f06d5225d444a6e5796cf95dc5819
                                  • Opcode Fuzzy Hash: 9303b3a98036d401e8cbddb9066c3905d3f6784fff20d009cbf2c37f538b3a2b
                                  • Instruction Fuzzy Hash: 2E314D72604310AFC701AF64C888D7FB7F9EFCA704F00496EF98597211DB7599059BA2
                                  Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ACP$OCP
                                  • API String ID: 0-711371036
                                  • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                  • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                  • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                  • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                  Function 0216B9EA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 02194A68: __onexit.LIBCMT ref: 02194A6E
                                  • __Init_thread_footer.LIBCMT ref: 0216BA39
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Init_thread_footer__onexit
                                  • String ID: mG$xdF
                                  • API String ID: 1881088180-3891541432
                                  • Opcode ID: 811cdfe000e459d503bb944029386f8ceaa377eb4ffdcb54278a65b681284296
                                  • Instruction ID: 5af1f543a499146575e0760530d3346bc884ee32f6dd486a27d2b5d099bf21c7
                                  • Opcode Fuzzy Hash: 811cdfe000e459d503bb944029386f8ceaa377eb4ffdcb54278a65b681284296
                                  • Instruction Fuzzy Hash: AD21D231A942198FCB14FB64DC88EFEB33BAF50314F110029D906A7190EF356A5ACED4
                                  Function 021B1E1E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,021B2079,?,00000050,?,?,?,?,?), ref: 021B1EF9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ACP$OCP
                                  • API String ID: 0-711371036
                                  • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                  • Instruction ID: 2c3f62fe12a41fa596e271050e7aecf3fa6ab87610a5d27c2f48ff5eb5d7b70a
                                  • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                  • Instruction Fuzzy Hash: 4021C16BA80105B6EB379B58C920BEB73BBAF44B65F674420ED0DD7204E7B2D940C350
                                  Function 0041631F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 00416330
                                    • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                    • Part of subcall function 004138B2: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                    • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                    • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _wcslen$CloseCreateValue
                                  • String ID: !D@$okmode
                                  • API String ID: 3411444782-1942679189
                                  • Opcode ID: 6236e1ae3c0c31af23e2c8bc277128b7b69df3d7e586693640e81273bc091059
                                  • Instruction ID: 3691d04bdc76b081f03c0e50e7d604d291fd2bc6213442c77ae478975c73e837
                                  • Opcode Fuzzy Hash: 6236e1ae3c0c31af23e2c8bc277128b7b69df3d7e586693640e81273bc091059
                                  • Instruction Fuzzy Hash: E211A871B042011BDA187B72D822BBD2296DB84349F80483FF50AAF2E2DFBD4C51535D
                                  Function 00418BCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BE5
                                    • Part of subcall function 00418691: 73BE2440.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418C0A
                                    • Part of subcall function 00418706: 73BFEFB0.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                    • Part of subcall function 004186B4: 73C05080.GDIPLUS(?,00418BBD), ref: 004186BD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateStream$C05080E2440
                                  • String ID: image/png
                                  • API String ID: 964639938-2966254431
                                  • Opcode ID: 987b917c03e66718990ed617162df62515b77dfca822779b7a08762b8303520b
                                  • Instruction ID: f628a6b37c0337dbee8ef7f798de7cbb8cc54a1da061f00231e4b0513ad08027
                                  • Opcode Fuzzy Hash: 987b917c03e66718990ed617162df62515b77dfca822779b7a08762b8303520b
                                  • Instruction Fuzzy Hash: 4221C375204211AFC700AB61CC89DBFBBACEFCA314F10452EF54693251DB389945CBA6
                                  Function 02178E31 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 02178E4C
                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 02178E71
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateStream
                                  • String ID: image/png
                                  • API String ID: 1369699375-2966254431
                                  • Opcode ID: 987b917c03e66718990ed617162df62515b77dfca822779b7a08762b8303520b
                                  • Instruction ID: bd48e7eada4035c0fa85ca45b4b461924c452d3ab03b37ffd4a21791d330dc5d
                                  • Opcode Fuzzy Hash: 987b917c03e66718990ed617162df62515b77dfca822779b7a08762b8303520b
                                  • Instruction Fuzzy Hash: 5121A171244210AFC700AB60CC88DBFBBBEEFCA751F10451DF94693120DB359955DBA2
                                  Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(?,004755A8,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  • GetLocalTime.KERNEL32(?,004755A8,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                  Strings
                                  • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LocalTime
                                  • String ID: KeepAlive | Enabled | Timeout:
                                  • API String ID: 481472006-1507639952
                                  • Opcode ID: 26bd689ae9f5a8ca4cc42161fd4a737406e6bde8edb1e72d222357881667aa70
                                  • Instruction ID: b700b38ef9f928670de2390b904a97a1cb71e472754ad5b4355c5e73bb52b66b
                                  • Opcode Fuzzy Hash: 26bd689ae9f5a8ca4cc42161fd4a737406e6bde8edb1e72d222357881667aa70
                                  • Instruction Fuzzy Hash: E62104719007806BD710B732A80A76F7B64E755308F44057EE8491B2A2EB7D5988CBDE
                                  Function 0216525B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(?), ref: 02165297
                                    • Part of subcall function 0217B7E7: GetLocalTime.KERNEL32(00000000), ref: 0217B801
                                  • GetLocalTime.KERNEL32(?), ref: 021652EE
                                  Strings
                                  • KeepAlive | Enabled | Timeout: , xrefs: 02165286
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LocalTime
                                  • String ID: KeepAlive | Enabled | Timeout:
                                  • API String ID: 481472006-1507639952
                                  • Opcode ID: fafa22d7485c9b9af755bd661b3a7c95bf01426dd8ce028ebaa8e1e096a55f09
                                  • Instruction ID: b77e1028426d35d05a36f4af2254360ab61b33d485a2deba000f22e1e3c65c12
                                  • Opcode Fuzzy Hash: fafa22d7485c9b9af755bd661b3a7c95bf01426dd8ce028ebaa8e1e096a55f09
                                  • Instruction Fuzzy Hash: 5A213861D44340AFC700F734ED4C73F7BA66B55308FC4052DD8490B265DBB55658CB9A
                                  Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32 ref: 0041667B
                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DownloadFileSleep
                                  • String ID: !D@
                                  • API String ID: 1931167962-604454484
                                  • Opcode ID: 4bebd131a251d400a6d2fc282cf18c8d556216e087351868230249c99a66146c
                                  • Instruction ID: 943aba663a6785b3e55a0e29e9dd0f60b42d3502aaa7a5a348319576c1e2766f
                                  • Opcode Fuzzy Hash: 4bebd131a251d400a6d2fc282cf18c8d556216e087351868230249c99a66146c
                                  • Instruction Fuzzy Hash: 9D1142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                  Function 021768E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60sleepfilenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00000064), ref: 021768E2
                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 02176944
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DownloadFileSleep
                                  • String ID: !D@
                                  • API String ID: 1931167962-604454484
                                  • Opcode ID: 24278099886a03d7930d1d1f3b436dd2dc5d66f7030c81053dd5fc241b457994
                                  • Instruction ID: e2b53e613448256d8281ac8b0c0e06fd54513b0130562e070464b2321366dc83
                                  • Opcode Fuzzy Hash: 24278099886a03d7930d1d1f3b436dd2dc5d66f7030c81053dd5fc241b457994
                                  • Instruction Fuzzy Hash: 80114F716C83029EC614FF70D9AD97E73AAAF95300F400C2DEE4683195EF319928CA52
                                  Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LocalTime
                                  • String ID: | $%02i:%02i:%02i:%03i
                                  • API String ID: 481472006-2430845779
                                  • Opcode ID: 23fa0ef33e23c51acc25039f5b4c387a24ac30d1e525e3dcef4a48577b83362e
                                  • Instruction ID: dc1ef91952a31d7701eba46fb19b130c3a81cf04c31882e55cbcd77cf5b9c3d8
                                  • Opcode Fuzzy Hash: 23fa0ef33e23c51acc25039f5b4c387a24ac30d1e525e3dcef4a48577b83362e
                                  • Instruction Fuzzy Hash: 72118E714082455AC304EB62D8519BFB3E9AB44308F50093FF88AA21E1EF3CDA45C69E
                                  Function 02167852 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                  Download Yara Rule
                                  APIs
                                  • CoInitializeEx.COMBASE(00000000,00000002), ref: 02167872
                                    • Part of subcall function 0216779F: _wcslen.LIBCMT ref: 021677C3
                                    • Part of subcall function 0216779F: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 02167824
                                  • CoUninitialize.COMBASE ref: 021678CB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InitializeObjectUninitialize_wcslen
                                  • String ID: C:\Users\user\Desktop\YESOHDKMIm.exe
                                  • API String ID: 3851391207-1729826443
                                  • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                  • Instruction ID: 5838cfa88b71dbe7e839a1a581f8a821eb4c80edace635741d4c118bbf60a6b7
                                  • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                  • Instruction Fuzzy Hash: DC0180727453116FE2246B11DC0EF7FA74DDB81B2DF21012EF901861C1EF95AC028AB2
                                  Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExistsFilePath
                                  • String ID: alarm.wav$xYG
                                  • API String ID: 1174141254-3120134784
                                  • Opcode ID: 64cd0adba8cb64f7cc29e3bcfb1a1c37beafda4eb82c8f499b05d2b71789c391
                                  • Instruction ID: fba4c3df788ebc26406fa6248c5b94d62a9d66ba9cb3dc57f05af0bb44f50ff0
                                  • Opcode Fuzzy Hash: 64cd0adba8cb64f7cc29e3bcfb1a1c37beafda4eb82c8f499b05d2b71789c391
                                  • Instruction Fuzzy Hash: 78019E7068831166CA04F77688166EE37559B80318F00847FF64A566E2EFBC9A9586CF
                                  Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00475100), ref: 0040B1AD
                                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                  • UnhookWindowsHookEx.USER32 ref: 0040B102
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                  • String ID: Online Keylogger Stopped
                                  • API String ID: 1623830855-1496645233
                                  • Opcode ID: 0f1c112f87acab909ab6bc803b42681e3fa8e5641989153b0a0e393c705c181a
                                  • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                  • Opcode Fuzzy Hash: 0f1c112f87acab909ab6bc803b42681e3fa8e5641989153b0a0e393c705c181a
                                  • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                  Function 0216B2F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0216B406: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00475100), ref: 0216B414
                                    • Part of subcall function 0216B406: wsprintfW.USER32 ref: 0216B495
                                    • Part of subcall function 0217B7E7: GetLocalTime.KERNEL32(00000000), ref: 0217B801
                                  • CloseHandle.KERNEL32(?), ref: 0216B356
                                  • UnhookWindowsHookEx.USER32 ref: 0216B369
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                  • String ID: Online Keylogger Stopped
                                  • API String ID: 1623830855-1496645233
                                  • Opcode ID: 752f1b0530f09a227fccadca3f0ff38838367ade688bdeb0a317c415c2ec40dd
                                  • Instruction ID: 24c788fa0276eb1827579a084c8f5b9551e5ae927e7faea4cfeef8ae7e3a0e45
                                  • Opcode Fuzzy Hash: 752f1b0530f09a227fccadca3f0ff38838367ade688bdeb0a317c415c2ec40dd
                                  • Instruction Fuzzy Hash: 91012431A88200DFC7217B28CC0E77E7BB29F42304F8400ADD88252191EB751A65DBDB
                                  Function 0044F0F7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474F08,?,0043CE65,FF8BC35D,00474F08,00474F08), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • _abort.LIBCMT ref: 0044F129
                                  • _free.LIBCMT ref: 0044F15D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast_abort_free
                                  • String ID: xNi
                                  • API String ID: 289325740-4281817997
                                  • Opcode ID: 870bd59091670ef6f85687353f23d3fa7adaacf8e57ceb1d53a868e14bc6891b
                                  • Instruction ID: a8e40e627a719db10bf70d85eeadc0c4c2fb790701f4ec7f842983f146219858
                                  • Opcode Fuzzy Hash: 870bd59091670ef6f85687353f23d3fa7adaacf8e57ceb1d53a868e14bc6891b
                                  • Instruction Fuzzy Hash: 0501A1B1D01A21DBEB31AFA9D84265EB3A0BF04720B19012FE51463391CB386D46CBCE
                                  Function 021AF35E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 021A84FC: GetLastError.KERNEL32(?,0219F9D7,0219AADC,0219F9D7,00474F08,?,0219D0CC,FF8BC35D,00474F08,00474F08), ref: 021A8500
                                    • Part of subcall function 021A84FC: _free.LIBCMT ref: 021A8533
                                    • Part of subcall function 021A84FC: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 021A8574
                                    • Part of subcall function 021A84FC: _abort.LIBCMT ref: 021A857A
                                  • _abort.LIBCMT ref: 021AF390
                                  • _free.LIBCMT ref: 021AF3C4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast_abort_free
                                  • String ID: xNi
                                  • API String ID: 289325740-4281817997
                                  • Opcode ID: 870bd59091670ef6f85687353f23d3fa7adaacf8e57ceb1d53a868e14bc6891b
                                  • Instruction ID: 2bd763466a95287593a4cad6fc8cde897c95cf96c49d94b5e5197cd7b27e346f
                                  • Opcode Fuzzy Hash: 870bd59091670ef6f85687353f23d3fa7adaacf8e57ceb1d53a868e14bc6891b
                                  • Instruction Fuzzy Hash: C701D6B9D82621DFCB31AF6D843076EB3A1BF04B61B19011BD52467690C7396983CFC6
                                  Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  • waveInPrepareHeader.WINMM(006922F8,00000020,?,?,00476B60,00474EF0,?,00000000,00401A15), ref: 00401849
                                  • waveInAddBuffer.WINMM(006922F8,00000020,?,00000000,00401A15), ref: 0040185F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: wave$BufferHeaderPrepare
                                  • String ID: hMG
                                  • API String ID: 2315374483-350922481
                                  • Opcode ID: 2a7237b1c750756b6a557ff6dbb8ae44e7524d5ce161b2fadacf42baadc53798
                                  • Instruction ID: 961ac9ec07701b1a047984959549e732b5ed52ade8bfae490fcb5a94ac50a39c
                                  • Opcode Fuzzy Hash: 2a7237b1c750756b6a557ff6dbb8ae44e7524d5ce161b2fadacf42baadc53798
                                  • Instruction Fuzzy Hash: 46016D71701301AFC7609F75EC449697BA9FF89355701413AF409C77A2EB759C50CB98
                                  Function 02161A53 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  • waveInPrepareHeader.WINMM(00474DA4,00000020,00476BE4,00476BE4,00476B60,00474EF0,?,00000000,02161C7C), ref: 02161AB0
                                  • waveInAddBuffer.WINMM(00474DA4,00000020,?,00000000,02161C7C), ref: 02161AC6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: wave$BufferHeaderPrepare
                                  • String ID: hMG
                                  • API String ID: 2315374483-350922481
                                  • Opcode ID: 2a7237b1c750756b6a557ff6dbb8ae44e7524d5ce161b2fadacf42baadc53798
                                  • Instruction ID: 190db2d382fc2de2ba2a0b4614518655a13b1cebd275f07440ce6d52d391b2c9
                                  • Opcode Fuzzy Hash: 2a7237b1c750756b6a557ff6dbb8ae44e7524d5ce161b2fadacf42baadc53798
                                  • Instruction Fuzzy Hash: 6301ADB1340301AFC7209F64EC489397BAAFF893013004139E909C77A1EB719C60CB98
                                  Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LocaleValid
                                  • String ID: IsValidLocaleName$kKD
                                  • API String ID: 1901932003-3269126172
                                  • Opcode ID: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                  • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                  • Opcode Fuzzy Hash: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                  • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                  Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExistsFilePath
                                  • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                  • API String ID: 1174141254-4188645398
                                  • Opcode ID: 06bc77d55e8fb5840851428069709c111eb9faa75ae45f14f57a1bd53324c730
                                  • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                  • Opcode Fuzzy Hash: 06bc77d55e8fb5840851428069709c111eb9faa75ae45f14f57a1bd53324c730
                                  • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                  Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExistsFilePath
                                  • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                  • API String ID: 1174141254-2800177040
                                  • Opcode ID: bace6f47b7681df2663094d7cdbcc2af99c158e76f34949f98d6431700df5ab4
                                  • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                  • Opcode Fuzzy Hash: bace6f47b7681df2663094d7cdbcc2af99c158e76f34949f98d6431700df5ab4
                                  • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                  Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExistsFilePath
                                  • String ID: AppData$\Opera Software\Opera Stable\
                                  • API String ID: 1174141254-1629609700
                                  • Opcode ID: 0ad9673d5740a961e85d2e0bcc20bff1dc46e4ed95a55a23a34886f7ed05f085
                                  • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                  • Opcode Fuzzy Hash: 0ad9673d5740a961e85d2e0bcc20bff1dc46e4ed95a55a23a34886f7ed05f085
                                  • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                  Function 021620F9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: G~E$hMG
                                  • API String ID: 3519838083-2030069899
                                  • Opcode ID: 498eed6ceb55bd9df1801c27c66a91a6ecc530a8f256c432acdcffc15b59a6db
                                  • Instruction ID: 0f12e0e527808be5797fd01c0f49286bb3a5810c0c4e43e7bccfa0f5300214be
                                  • Opcode Fuzzy Hash: 498eed6ceb55bd9df1801c27c66a91a6ecc530a8f256c432acdcffc15b59a6db
                                  • Instruction Fuzzy Hash: 25F02772F502149FC729AB1898086BEB37BEFD5B61F1042AEEC15972D0CF340D108AA5
                                  Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyState.USER32(00000011), ref: 0040B686
                                    • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                                    • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                    • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                    • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                    • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                                    • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                    • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                    • Part of subcall function 0040A671: SetEvent.KERNEL32(00000000,?,00000000,0040B245,00000000), ref: 0040A69D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                  • String ID: [AltL]$[AltR]
                                  • API String ID: 2738857842-2658077756
                                  • Opcode ID: 973633859d93ff8360b83ac9e1d77558cdb0b7c4d5bdbb5f5e50dc46d20ac961
                                  • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                  • Opcode Fuzzy Hash: 973633859d93ff8360b83ac9e1d77558cdb0b7c4d5bdbb5f5e50dc46d20ac961
                                  • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                  Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteShell
                                  • String ID: !D@$open
                                  • API String ID: 587946157-1586967515
                                  • Opcode ID: 30a1d241cab23d886832e5a2cf84020a5ff996eade7e739dca91f4d882a6cfc9
                                  • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                  • Opcode Fuzzy Hash: 30a1d241cab23d886832e5a2cf84020a5ff996eade7e739dca91f4d882a6cfc9
                                  • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                  Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyState.USER32(00000012), ref: 0040B6E0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: State
                                  • String ID: [CtrlL]$[CtrlR]
                                  • API String ID: 1649606143-2446555240
                                  • Opcode ID: 1321bbb6cc8174ef42da852326f734558715e41d50b56193fb2d1a3bfc871e5f
                                  • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                  • Opcode Fuzzy Hash: 1321bbb6cc8174ef42da852326f734558715e41d50b56193fb2d1a3bfc871e5f
                                  • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                  Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                  • __Init_thread_footer.LIBCMT ref: 00410F64
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Init_thread_footer__onexit
                                  • String ID: <kG$@kG
                                  • API String ID: 1881088180-1261746286
                                  • Opcode ID: d4565030f79739e4e66115585db0aa101e00d72097786d2d832482c72ad8666d
                                  • Instruction ID: b3c290aa7aaf28965b2d5d57398085964b0ab7c4475a0d5935719b6e6c356165
                                  • Opcode Fuzzy Hash: d4565030f79739e4e66115585db0aa101e00d72097786d2d832482c72ad8666d
                                  • Instruction Fuzzy Hash: 4BE0D8315049208AC510B75EE442AC53345DB0A324B21907BF414D72D2CBAE78C24E5D
                                  Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D509,00000000,?,00000000), ref: 00413A6C
                                  • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A80
                                  Strings
                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DeleteOpenValue
                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                  • API String ID: 2654517830-1051519024
                                  • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                  • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                  • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                  • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                  Function 0216EA41 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 02194A68: __onexit.LIBCMT ref: 02194A6E
                                  • __Init_thread_footer.LIBCMT ref: 021711CB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Init_thread_footer__onexit
                                  • String ID: <kG$@kG
                                  • API String ID: 1881088180-1261746286
                                  • Opcode ID: d4565030f79739e4e66115585db0aa101e00d72097786d2d832482c72ad8666d
                                  • Instruction ID: 96df4e6552dd3ce01f636fb4e3a0b51e4f464d929ee816c4d5723651a6a38829
                                  • Opcode Fuzzy Hash: d4565030f79739e4e66115585db0aa101e00d72097786d2d832482c72ad8666d
                                  • Instruction Fuzzy Hash: 10E02071584D209FC500B32DD44098533ABDB46331763812BD519DB2D0CF1575418E9D
                                  Function 02173CC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0216D770,00000000,?,00000000), ref: 02173CD3
                                  • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 02173CE7
                                  Strings
                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 02173CD1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DeleteOpenValue
                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                  • API String ID: 2654517830-1051519024
                                  • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                  • Instruction ID: 42f5539b10639989b0a222d802c34ef317dbf3ab24d318dfa6b421928bbfe660
                                  • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                  • Instruction Fuzzy Hash: D9E08C3128420CFBDF104B61DD06FAA372CEB41A01F0006A5BA0692091C7228A14A660
                                  Function 0216BB0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteFileW.KERNEL32(00000000,?,?,0216AF55,0000005C,?,?,?,00000000), ref: 0216BB18
                                  • RemoveDirectoryW.KERNEL32(00000000,?,?,0216AF55,0000005C,?,?,?,00000000), ref: 0216BB43
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DeleteDirectoryFileRemove
                                  • String ID: xdF
                                  • API String ID: 3325800564-999140092
                                  • Opcode ID: f517cdc3d40ae5788963dfbbc2829d8ded3531eabcb2716bd7f6638370093006
                                  • Instruction ID: 07808a5637d94394a7cdff1b82b9ed6a314599a468654cb76977076542db19aa
                                  • Opcode Fuzzy Hash: f517cdc3d40ae5788963dfbbc2829d8ded3531eabcb2716bd7f6638370093006
                                  • Instruction Fuzzy Hash: BDE086710807119FC620AB348C58AEF7359AF04306F04096AE493E3560DF399A59DA54
                                  Function 0216D30B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,0216EEAA,0000000D,00000033,00000000,00000032,00000000,004673AC,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0216D31A
                                  • GetLastError.KERNEL32 ref: 0216D325
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateErrorLastMutex
                                  • String ID: Rmc-T59BEJ
                                  • API String ID: 1925916568-414001064
                                  • Opcode ID: aba24bfd7e8b808837b934fb3074bb655e41bd047bfda9aafcf34366fa62f390
                                  • Instruction ID: 29206023943c9760549760bbadfb3077621b3497ec30de6fde9907384a5a60ac
                                  • Opcode Fuzzy Hash: aba24bfd7e8b808837b934fb3074bb655e41bd047bfda9aafcf34366fa62f390
                                  • Instruction Fuzzy Hash: 77D012B4254300EBDB0427709C4DB6D36559B44703F508479B60BD99E1CBF48CD09915
                                  Function 0044F38A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CommandLine
                                  • String ID: H%g
                                  • API String ID: 3253501508-3136102774
                                  • Opcode ID: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                                  • Instruction ID: 694146ce0b361bd31d1980ce40e18c0a636997d79f12e70286e675221abc8fda
                                  • Opcode Fuzzy Hash: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                                  • Instruction Fuzzy Hash: CBB04878800753CB97108F21AA0C0853FA0B30820238020B6940A92A21EB7885868A08
                                  Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401BD9), ref: 00440D77
                                  • GetLastError.KERNEL32 ref: 00440D85
                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$ErrorLast
                                  • String ID:
                                  • API String ID: 1717984340-0
                                  • Opcode ID: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                                  • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                  • Opcode Fuzzy Hash: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                                  • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                  Function 021A0F48 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,02161E40), ref: 021A0FDE
                                  • GetLastError.KERNEL32 ref: 021A0FEC
                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 021A1047
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$ErrorLast
                                  • String ID:
                                  • API String ID: 1717984340-0
                                  • Opcode ID: 088dcbec5a167405d9ff8429c0973f5051f6e46d219a09f8e04e9eefcf98d3af
                                  • Instruction ID: 124529c66df010691815def39bda89346f7248205322f40a45ef55a3753a2864
                                  • Opcode Fuzzy Hash: 088dcbec5a167405d9ff8429c0973f5051f6e46d219a09f8e04e9eefcf98d3af
                                  • Instruction Fuzzy Hash: 35412939A40292FFCF258F64C965BBF7BA5EF01321F154269E86DB71A0DB318901CB90
                                  Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                  • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411CB5
                                  • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496029203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1496029203.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1496029203.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLastRead
                                  • String ID:
                                  • API String ID: 4100373531-0
                                  • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                  • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                  • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                  • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99
                                  Function 02171E01 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 02171E2E
                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 02171EFA
                                  • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02171F1C
                                  • SetLastError.KERNEL32(0000007E,02172192), ref: 02171F33
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1496784989.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2160000_YESOHDKMIm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLastRead
                                  • String ID:
                                  • API String ID: 4100373531-0
                                  • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                  • Instruction ID: 3fd803e25bb1e85bb1c548cac3022a65d4783fe99da987c3be988f725d6342a3
                                  • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                  • Instruction Fuzzy Hash: 56418A71648305AFEB25CF18DC84B66B7F9FF88715F14082DE99A87691EB70E908CB11