Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U63d0#U53d6Proxy (1).exe

Overview

General Information

Sample name:#U63d0#U53d6Proxy (1).exe
renamed because original name is a hash value
Original sample name:Proxy (1).exe
Analysis ID:1560004
MD5:3661801094ece049030d74f100a62a7d
SHA1:be2ad7cb68f836ed2eb7904d84a736b7bdfff46f
SHA256:432ea6299e26471cc3f16ebe28bc694e45afd3d85f11ac5bd5395cb2f951d3bf
Tags:exemalwareopendiruser-Joker
Infos:

Detection

Gh0stCringe, Neshta, RunningRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Gh0stCringe
Yara detected Neshta
Yara detected RunningRAT
AI detected suspicious sample
Checks if browser processes are running
Contains functionality to detect sleep reduction / modifications
Creates a Windows Service pointing to an executable in C:\Windows
Creates an undocumented autostart registry key
Drops PE files with a suspicious file extension
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Classes Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • #U63d0#U53d6Proxy (1).exe (PID: 5424 cmdline: "C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe" MD5: 3661801094ECE049030D74F100A62A7D)
    • #U63d0#U53d6Proxy (1).exe (PID: 6288 cmdline: "C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe" MD5: 70E7FC95995215806697E6F7464AE162)
      • look2.exe (PID: 3468 cmdline: C:\Users\user\AppData\Local\Temp\\look2.exe MD5: 2F3B6F16E33E28AD75F3FDAEF2567807)
  • svchost.exe (PID: 2720 cmdline: C:\Windows\SysWOW64\svchost.exe -k "svchcst" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • svchost.exe (PID: 1060 cmdline: C:\Windows\SysWOW64\svchost.exe -k "svchcst" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
    • svchcst.exe (PID: 6008 cmdline: C:\Windows\system32\svchcst.exe "c:\windows\system32\4958812.bat",MainThread MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
neshtaNeshta is a 2005 Belarusian file infector virus written in Delphi. The name of the virus comes from the Belarusian word "nesta" meaning "something."No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.neshta
NameDescriptionAttributionBlogpost URLsLink
Running RATNJCCIC characterizes RunningRAT as a remote access trojan (RAT) that operates using two DLL files. When the trojan is loaded onto a system, it executes the first DLL. This is used to disable anti-malware solutions, unpack and execute the main RAT DLL, and gain persistence. The trojan installs a Windows batch file dx.bat that attempts to kill the daumcleaner.exe task, a Korean security program. The file then attempts to remove itself. Once the second DLL is loaded into memory, the first DLL overwrites the IP address for the control server to change the address the trojan communicates with. The second DLL gathers information about the victim's system, including its operating system and driver and processor information. The RAT can log user keystrokes, copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and more. The second DLL also uses several anti-bugging techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
#U63d0#U53d6Proxy (1).exeJoeSecurity_NeshtaYara detected NeshtaJoe Security
    #U63d0#U53d6Proxy (1).exeJoeSecurity_RunningRATYara detected RunningRATJoe Security
      #U63d0#U53d6Proxy (1).exeMALWARE_Win_NeshtaDetects NeshtaditekSHen
      • 0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus.
      • 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJoeSecurity_NeshtaYara detected NeshtaJoe Security
        C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeMALWARE_Win_NeshtaDetects NeshtaditekSHen
        • 0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus.
        • 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJoeSecurity_NeshtaYara detected NeshtaJoe Security
          C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeMALWARE_Win_NeshtaDetects NeshtaditekSHen
          • 0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus.
          • 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
          C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exeJoeSecurity_NeshtaYara detected NeshtaJoe Security
            Click to see the 350 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmpJoeSecurity_RunningRATYara detected RunningRATJoe Security
              00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmpJoeSecurity_Gh0stCringeYara detected Gh0stCringeJoe Security
                00000006.00000002.4657492040.000000001000C000.00000004.00000001.01000000.00000007.sdmpJoeSecurity_RunningRATYara detected RunningRATJoe Security
                  00000006.00000002.4657492040.000000001000C000.00000004.00000001.01000000.00000007.sdmpJoeSecurity_Gh0stCringeYara detected Gh0stCringeJoe Security
                    00000003.00000000.2179542390.0000000000441000.00000008.00000001.01000000.00000006.sdmpJoeSecurity_RunningRATYara detected RunningRATJoe Security
                      Click to see the 16 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      3.2.look2.exe.441158.1.unpackJoeSecurity_Gh0stCringeYara detected Gh0stCringeJoe Security
                        6.2.svchcst.exe.10000000.1.unpackJoeSecurity_RunningRATYara detected RunningRATJoe Security
                          6.2.svchcst.exe.10000000.1.unpackJoeSecurity_Gh0stCringeYara detected Gh0stCringeJoe Security
                            0.0.#U63d0#U53d6Proxy (1).exe.400000.0.unpackJoeSecurity_NeshtaYara detected NeshtaJoe Security
                              0.0.#U63d0#U53d6Proxy (1).exe.400000.0.unpackMALWARE_Win_NeshtaDetects NeshtaditekSHen
                              • 0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus.
                              • 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
                              Click to see the 19 entries

                              Sigma Signatures

                              System Summary

                              barindex
                              Sigma detected: Classes Autorun Keys Modification
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\svchost.com "%1" %*, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe, ProcessId: 5424, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)
                              Sigma detected: Windows Processes Suspicious Parent Directory
                              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe -k "svchcst", CommandLine: C:\Windows\SysWOW64\svchost.exe -k "svchcst", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe -k "svchcst", ProcessId: 2720, ProcessName: svchost.exe

                              Suricata Signatures

                              No Suricata rule has matched

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Antivirus / Scanner detection for submitted sample
                              Source: #U63d0#U53d6Proxy (1).exeAvira: detected
                              Antivirus detection for dropped file
                              Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\AutoIt3\Uninstall.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeAvira: detection malicious, Label: W32/Neshta.A
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeAvira: detection malicious, Label: W32/Neshta.A
                              Multi AV Scanner detection for dropped file
                              Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeReversingLabs: Detection: 94%
                              Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeReversingLabs: Detection: 94%
                              Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeReversingLabs: Detection: 94%
                              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeReversingLabs: Detection: 94%
                              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeReversingLabs: Detection: 94%
                              Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeReversingLabs: Detection: 97%
                              Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeReversingLabs: Detection: 94%
                              Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeReversingLabs: Detection: 94%
                              Source: C:\Program Files (x86)\AutoIt3\Uninstall.exeReversingLabs: Detection: 94%
                              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeReversingLabs: Detection: 97%
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXEReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEReversingLabs: Detection: 97%
                              Multi AV Scanner detection for submitted file
                              Source: #U63d0#U53d6Proxy (1).exeReversingLabs: Detection: 97%
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
                              Machine Learning detection for dropped file
                              Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\AutoIt3\Uninstall.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJoe Sandbox ML: detected
                              Machine Learning detection for sample
                              Source: #U63d0#U53d6Proxy (1).exeJoe Sandbox ML: detected
                              Source: #U63d0#U53d6Proxy (1).exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdb source: cookie_exporter.exe0.0.dr, cookie_exporter.exe.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.0.dr
                              Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.0.dr
                              Source: Binary string: mpextms.pdb source: mpextms.exe0.0.dr
                              Source: Binary string: AppVDllSurrogate64.pdb source: AppVDllSurrogate64.exe.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\setup.exe.pdbOGP source: setup.exe0.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
                              Source: Binary string: rundll32.pdbGCTL source: svchost.exe, 00000005.00000003.2181089688.0000000003430000.00000004.00000020.00020000.00000000.sdmp, svchcst.exe, 00000006.00000000.2221730262.0000000000D01000.00000020.00000001.01000000.00000009.sdmp
                              Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.0.dr
                              Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\aimgr.pdb# source: aimgr.exe0.0.dr
                              Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: msoev.exe.0.dr
                              Source: Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.0.dr
                              Source: Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\olicenseheartbeat.pdb source: OLicenseHeartbeat.exe.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.0.dr
                              Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.0.dr
                              Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: AdobeARMHelper.exe.0.dr
                              Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
                              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb source: GRAPH.EXE.0.dr
                              Source: Binary string: r.pdb source: AppSharingHookController.exe.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedgewebview2.exe.pdb source: msedgewebview2.exe0.0.dr
                              Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
                              Source: Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.0.dr
                              Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\aimgr.pdb source: aimgr.exe0.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdbOGP source: cookie_exporter.exe0.0.dr, cookie_exporter.exe.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedgewebview2.exe.pdbOGP source: msedgewebview2.exe0.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\setup.exe.pdb source: setup.exe0.0.dr
                              Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\aimgr.pdb source: aimgr.exe.0.dr
                              Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: VC_redist.x64.exe.0.dr
                              Source: Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe0.0.dr, MpCmdRun.exe2.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.0.dr
                              Source: Binary string: AppVDllSurrogate64.pdbGCTL source: AppVDllSurrogate64.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb source: msoev.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\olicenseheartbeat.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OLicenseHeartbeat.exe.0.dr
                              Source: Binary string: MpCmdRun.pdb source: MpCmdRun.exe0.0.dr, MpCmdRun.exe2.0.dr
                              Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: AdobeARMHelper.exe.0.dr
                              Source: Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.0.dr
                              Source: Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.0.dr
                              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb<<7 source: ssvagent.exe.0.dr
                              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.0.dr
                              Source: Binary string: lper.pdb source: SDXHelper.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.0.dr
                              Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
                              Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\mini_installer.exe.pdb source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.0.dr
                              Source: Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.0.dr
                              Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.0.dr
                              Source: Binary string: rundll32.pdb source: svchost.exe, 00000005.00000003.2181089688.0000000003430000.00000004.00000020.00020000.00000000.sdmp, svchcst.exe, svchcst.exe, 00000006.00000000.2221730262.0000000000D01000.00000020.00000001.01000000.00000009.sdmp
                              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.0.dr
                              Source: Binary string: mpextms.pdbGCTL source: mpextms.exe0.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: GRAPH.EXE.0.dr

                              Spreading

                              barindex
                              Yara detected Neshta
                              Source: Yara matchFile source: #U63d0#U53d6Proxy (1).exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.#U63d0#U53d6Proxy (1).exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000002.2601271801.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: #U63d0#U53d6Proxy (1).exe PID: 5424, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\svchost.com, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\look2.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED
                              Infects executable files (exe, dll, sys, html)
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Users\user\AppData\Local\Temp\chrome.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Google\Update\Install\{EB80938B-EC00-4683-A2CC-456206E3A4E1}\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_pwa_launcher.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\cookie_exporter.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\pwahelper.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00471E54 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,2_2_00471E54
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00412510 FindNextFileA,FindClose,FindFirstFileA,FindClose,2_2_00412510
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00405240 FindFirstFileA,FindClose,2_2_00405240
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00419320 FindFirstFileA,FindClose,2_2_00419320
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00409630 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,2_2_00409630
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_0041E372 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,3_2_0041E372
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_0042051A FindFirstFileA,FindClose,3_2_0042051A
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\Jump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Jump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Jump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\Jump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\Jump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Jump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 4x nop then mov eax, dword ptr fs:[00000000h]0_3_021F6DA0
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 4x nop then sub esp, 14h2_2_00404D12
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_004242A0 ioctlsocket,recvfrom,2_2_004242A0
                              Source: global trafficDNS traffic detected: DNS query: kinh.xmcxmr.com
                              Source: integrator.exe.0.drString found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
                              Source: OLicenseHeartbeat.exe.0.drString found in binary or memory: http://CodeTypeIsExpectedOffice.System.ResultGlobal
                              Source: VC_redist.x64.exe.0.drString found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
                              Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                              Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                              Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                              Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                              Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                              Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                              Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                              Source: AdobeARMHelper.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                              Source: GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                              Source: armsvc.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
                              Source: #U63d0#U53d6Proxy (1).exe, 00000000.00000002.2601112407.0000000000190000.00000004.00000010.00020000.00000000.sdmp, Uninstall.exe.0.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                              Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
                              Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
                              Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
                              Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                              Source: Aut2exe.exe.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/
                              Source: Aut2exe.exe.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/8
                              Source: AutoIt3_x64.exe.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
                              Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
                              Source: #U63d0#U53d6Proxy (1).exeString found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
                              Source: msedgewebview2.exe0.0.drString found in binary or memory: https://crashpad.chromium.org/
                              Source: msedgewebview2.exe0.0.drString found in binary or memory: https://crashpad.chromium.org/bug/new
                              Source: msedgewebview2.exe0.0.drString found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
                              Source: msedge_pwa_launcher.exe.0.dr, msedgewebview2.exe0.0.dr, setup.exe0.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
                              Source: msedge_pwa_launcher.exe.0.dr, msedgewebview2.exe0.0.dr, setup.exe0.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
                              Source: OLicenseHeartbeat.exe.0.drString found in binary or memory: https://login.windows.net/commonhttps://login.windows.netDBSFetcher::CreateRequestHeader
                              Source: integrator.exe.0.drString found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
                              Source: integrator.exe.0.drString found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0042D340 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_0042D340
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0042D340 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_0042D340
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0045FB20 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,2_2_0045FB20
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0042D4A0 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,GlobalUnlock,CloseClipboard,2_2_0042D4A0
                              Source: integrator.exe.0.drBinary or memory string: RegisterRawInputDevicesmemstr_133bf213-1
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00418030 IsWindowEnabled,TranslateAcceleratorA,IsChild,GetFocus,PostMessageA,PostMessageA,SendMessageA,IsChild,IsWindow,IsWindowVisible,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetParent,SendMessageA,WinHelpA,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,IsWindow,2_2_00418030
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_004764E3 GetKeyState,GetKeyState,GetKeyState,GetKeyState,2_2_004764E3
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_004749ED GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,2_2_004749ED
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_004194D0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,2_2_004194D0
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0042BBA0 GetKeyState,GetKeyState,GetKeyState,CopyRect,2_2_0042BBA0
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_0041A0C9 GetKeyState,GetKeyState,GetKeyState,GetKeyState,3_2_0041A0C9
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_0042B165 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,3_2_0042B165
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_0042B17A GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,3_2_0042B17A
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_0042C5CE GetKeyState,GetKeyState,GetKeyState,3_2_0042C5CE
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_004185D6 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,SendMessageA,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,3_2_004185D6
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_00427583 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,3_2_00427583
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_0041CF35 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,3_2_0041CF35

                              E-Banking Fraud

                              barindex
                              Checks if browser processes are running
                              Source: C:\Windows\SysWOW64\svchost.exeCode function: memset,lstrlenA,strstr,lstrcpyA,CreateProcessA, Applications\iexplore.exe\shell\open\command5_2_10003990

                              System Summary

                              barindex
                              Malicious sample detected (through community Yara rule)
                              Source: #U63d0#U53d6Proxy (1).exe, type: SAMPLEMatched rule: Detects Neshta Author: ditekSHen
                              Source: 0.0.#U63d0#U53d6Proxy (1).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Windows\svchost.com, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Users\user\AppData\Local\Temp\look2.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Users\user\AppData\Local\Temp\look2.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Users\user\AppData\Local\Temp\look2.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                              Source: C:\Windows\SysWOW64\svchcst.exeCode function: 6_2_00D05CF1 NtQueryInformationToken,NtQueryInformationToken,RtlNtStatusToDosError,6_2_00D05CF1
                              Source: C:\Windows\SysWOW64\svchcst.exeCode function: 6_2_00D040B1 NtQuerySystemInformation,6_2_00D040B1
                              Source: C:\Windows\SysWOW64\svchcst.exeCode function: 6_2_00D05D6A NtOpenProcessToken,RtlNtStatusToDosError,NtClose,QueryActCtxW,NtOpenProcessToken,NtSetInformationToken,NtClose,6_2_00D05D6A
                              Source: C:\Windows\SysWOW64\svchcst.exeCode function: 6_2_00D05911 PathIsRelativeW,RtlSetSearchPathMode,SearchPathW,GetFileAttributesW,CreateActCtxW,CreateActCtxWWorker,CreateActCtxWWorker,CreateActCtxWWorker,GetModuleHandleW,CreateActCtxWWorker,ActivateActCtx,SetWindowLongW,GetWindowLongW,GetWindow,memset,GetClassNameW,CompareStringW,GetWindow,GetWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,6_2_00D05911
                              Source: C:\Windows\SysWOW64\svchcst.exeCode function: 6_2_00D04136 HeapSetInformation,NtSetInformationProcess,AttachConsole,LocalAlloc,LoadLibraryExW,GetProcAddress,SetErrorMode,DestroyWindow,FreeLibrary,LocalFree,DeactivateActCtx,ReleaseActCtx,FreeLibrary,LocalFree,FreeConsole,ExitProcess,6_2_00D04136
                              Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_10002760 OpenSCManagerA,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,5_2_10002760
                              Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_100027E0 LoadLibraryA,GetProcAddress,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,WTSGetActiveConsoleSessionId,SetTokenInformation,CreateProcessAsUserA,CloseHandle,CloseHandle,FreeLibrary,5_2_100027E0
                              Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_100032D0 ExitWindowsEx,5_2_100032D0
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Windows\svchost.comJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeFile created: C:\Windows\SysWOW64\4958812.batJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeFile created: C:\Windows\SysWOW64\ini.iniJump to behavior
                              Source: C:\Windows\SysWOW64\svchost.exeFile created: C:\Windows\SysWOW64\svchcst.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_021FE3E40_3_021FE3E4
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_022020150_3_02202015
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_0220E0E40_3_0220E0E4
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_022141440_3_02214144
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_022021C80_3_022021C8
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_022024420_3_02202442
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_021F44740_3_021F4474
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_021FA4D40_3_021FA4D4
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_021D85340_3_021D8534
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_022125740_3_02212574
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_021C65B40_3_021C65B4
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_02202AC40_3_02202AC4
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_0220EB840_3_0220EB84
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_022028D40_3_022028D4
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_021C89240_3_021C8924
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_022029970_3_02202997
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_02244E1B0_3_02244E1B
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_021FEEA40_3_021FEEA4
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_021F0F540_3_021F0F54
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_02202F740_3_02202F74
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_021FAC140_3_021FAC14
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_02218C340_3_02218C34
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_02202D440_3_02202D44
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_021F12840_3_021F1284
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_022013540_3_02201354
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_022091D40_3_022091D4
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_022096740_3_02209674
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_021F367F0_3_021F367F
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_021FF6940_3_021FF694
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_022497910_3_02249791
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_021F14140_3_021F1414
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_02203A390_3_02203A39
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_02223B030_3_02223B03
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_021F58840_3_021F5884
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_021CF9940_3_021CF994
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_021F39B10_3_021F39B1
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_021ED9D40_3_021ED9D4
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_021FDEA40_3_021FDEA4
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_021F3F160_3_021F3F16
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_02211FF40_3_02211FF4
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_02201D2A0_3_02201D2A
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_0221FD8A0_3_0221FD8A
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_021EB8540_3_021EB854
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_021DDDA40_3_021DDDA4
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00412B202_2_00412B20
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_004140102_2_00414010
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_004480A02_2_004480A0
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0043E1122_2_0043E112
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0045C1F02_2_0045C1F0
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0044C2112_2_0044C211
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_004582E02_2_004582E0
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0045E3402_2_0045E340
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0044C3C42_2_0044C3C4
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0045A5002_2_0045A500
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_004485E02_2_004485E0
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0045266E2_2_0045266E
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0043E6702_2_0043E670
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0044C63E2_2_0044C63E
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_004446D02_2_004446D0
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0045C7702_2_0045C770
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_004227302_2_00422730
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_004107B02_2_004107B0
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_004528BE2_2_004528BE
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_004449E02_2_004449E0
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0044CA702_2_0044CA70
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0044AD102_2_0044AD10
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00458D802_2_00458D80
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00444E102_2_00444E10
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00462E302_2_00462E30
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0044CF402_2_0044CF40
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_004490A02_2_004490A0
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0043B1502_2_0043B150
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0044D1702_2_0044D170
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_004533D02_2_004533D0
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0043B4802_2_0043B480
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0044B5502_2_0044B550
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0043B6102_2_0043B610
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0041B7802_2_0041B780
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_004538702_2_00453870
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0043D87B2_2_0043D87B
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_004498902_2_00449890
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00435A502_2_00435A50
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0044BA692_2_0044BA69
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0043FA802_2_0043FA80
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00437BD02_2_00437BD0
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00419B902_2_00419B90
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0043DBAD2_2_0043DBAD
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0044DBB02_2_0044DBB0
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0046DCFF2_2_0046DCFF
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00473C8E2_2_00473C8E
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0044BF262_2_0044BF26
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00469F862_2_00469F86
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00427FA02_2_00427FA0
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_0040E1B43_2_0040E1B4
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_004173D03_2_004173D0
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_00412B2A3_2_00412B2A
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_0041BF413_2_0041BF41
                              Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_100043205_2_10004320
                              Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\AutoIt3\Au3Check.exe 6AB1464D7BA02FA63FDDFAF5295237352F14F7AF63E443E55D3FFB68A304C304
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: String function: 0221A0CC appears 70 times
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: String function: 02240F9B appears 53 times
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: String function: 00472D4F appears 44 times
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: String function: 00443E90 appears 39 times
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: String function: 00444110 appears 77 times
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: String function: 0046295B appears 40 times
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: String function: 00443D00 appears 85 times
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: String function: 004642C8 appears 91 times
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: String function: 0040A334 appears 218 times
                              Source: #U63d0#U53d6Proxy (1).exeBinary or memory string: OriginalFilename vs #U63d0#U53d6Proxy (1).exe
                              Source: #U63d0#U53d6Proxy (1).exe, 00000000.00000003.2174004066.0000000002287000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGradualChange.EXEF vs #U63d0#U53d6Proxy (1).exe
                              Source: #U63d0#U53d6Proxy (1).exe, 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefreeeim.exe vs #U63d0#U53d6Proxy (1).exe
                              Source: #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181205076.00000000025B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefreeeim.exe vs #U63d0#U53d6Proxy (1).exe
                              Source: #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181205076.0000000002682000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGradualChange.EXEF vs #U63d0#U53d6Proxy (1).exe
                              Source: #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181760433.00000000027F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefreeeim.exe vs #U63d0#U53d6Proxy (1).exe
                              Source: #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181976397.00000000025B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefreeeim.exe vs #U63d0#U53d6Proxy (1).exe
                              Source: #U63d0#U53d6Proxy (1).exe, 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenameGradualChange.EXEF vs #U63d0#U53d6Proxy (1).exe
                              Source: #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181760433.00000000028C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGradualChange.EXEF vs #U63d0#U53d6Proxy (1).exe
                              Source: #U63d0#U53d6Proxy (1).exe, 00000002.00000000.2177773403.0000000000480000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamefreeeim.exe vs #U63d0#U53d6Proxy (1).exe
                              Source: #U63d0#U53d6Proxy (1).exe, 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamefreeeim.exe vs #U63d0#U53d6Proxy (1).exe
                              Source: #U63d0#U53d6Proxy (1).exeBinary or memory string: OriginalFilenamefreeeim.exe vs #U63d0#U53d6Proxy (1).exe
                              Source: #U63d0#U53d6Proxy (1).exeBinary or memory string: OriginalFilenameGradualChange.EXEF vs #U63d0#U53d6Proxy (1).exe
                              Source: #U63d0#U53d6Proxy (1).exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                              Source: #U63d0#U53d6Proxy (1).exe, type: SAMPLEMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: 0.0.#U63d0#U53d6Proxy (1).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Windows\svchost.com, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Users\user\AppData\Local\Temp\look2.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Users\user\AppData\Local\Temp\look2.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Users\user\AppData\Local\Temp\look2.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                              Source: MpCmdRun.exe2.0.drBinary string: IdImageFileNameFirst Resource TypeTypeScan SourceFirst Resource PathuserIdResource CountReasonProcessMessagePIDStartStopDataIsSignedFile\Device\\\?\\FI_UNKNOWN\drivers\error: invalid data: System Windows path changed during the trace from "%ls" to "%ls"
                              Source: msedgewebview2.exe0.0.drBinary string: @g_interceptionsntdll.dllg_originals\Device\\/?/?\\??\ntdll.dllRtlInitUnicodeStringntdll.dll\KnownDllsDeriveRestrictedAppContainerSidFromAppContainerSidAndRestrictedNameuserenvchromeInstallFileslpacChromeInstallFilesmediaFoundationCdmFileslpacMediaFoundationCdmDatalpacEdgeWdagCommslpacChromeNetworkSandboxKeyg_handles_to_close
                              Source: msedgewebview2.exe0.0.drBinary string: \\.\\Device\DeviceApi\Device\DeviceApi\CMApintdll.dllHKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_PERFORMANCE_TEXTHKEY_PERFORMANCE_NLSTEXTHKEY_CURRENT_CONFIGHKEY_DYN_DATA\Device\\Device\HarddiskVolume
                              Source: classification engineClassification label: mal100.spre.bank.troj.evad.winEXE@9/180@7/1
                              Source: C:\Windows\SysWOW64\svchcst.exeCode function: 6_2_00D03C66 LoadLibraryExW,GetLastError,FormatMessageW,RtlImageNtHeader,SetProcessMitigationPolicy,6_2_00D03C66
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_00421104 __EH_prolog,GetDiskFreeSpaceA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,3_2_00421104
                              Source: C:\Windows\SysWOW64\svchost.exeCode function: OpenSCManagerA,_local_unwind2,CreateServiceA,GetLastError,OpenServiceA,StartServiceA,ChangeServiceConfig2A,ChangeServiceConfig2A,wsprintfA,StartServiceA,5_2_10002310
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0045ED20 FindWindowA,GetWindowThreadProcessId,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,TerminateProcess,2_2_0045ED20
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0045E790 SHGetFileInfoA,CoCreateInstance,lstrlenA,2_2_0045E790
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_004724DC __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,2_2_004724DC
                              Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_10002310 OpenSCManagerA,_local_unwind2,CreateServiceA,GetLastError,OpenServiceA,StartServiceA,ChangeServiceConfig2A,ChangeServiceConfig2A,wsprintfA,StartServiceA,5_2_10002310
                              Source: C:\Windows\SysWOW64\svchcst.exeMutant created: \Sessions\1\BaseNamedObjects\kinh.xmcxmr.com:442:svchcst
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Users\user\AppData\Local\Temp\3582-490Jump to behavior
                              Source: C:\Windows\SysWOW64\svchcst.exeCommand line argument: WLDP.DLL6_2_00D04136
                              Source: C:\Windows\SysWOW64\svchcst.exeCommand line argument: localserver6_2_00D04136
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: integrator.exe.0.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                              Source: integrator.exe.0.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                              Source: integrator.exe.0.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                              Source: integrator.exe.0.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                              Source: #U63d0#U53d6Proxy (1).exeReversingLabs: Detection: 97%
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile read: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeJump to behavior
                              Source: unknownProcess created: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe "C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe"
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe "C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe"
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeProcess created: C:\Users\user\AppData\Local\Temp\look2.exe C:\Users\user\AppData\Local\Temp\\look2.exe
                              Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe -k "svchcst"
                              Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe -k "svchcst"
                              Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\svchcst.exe C:\Windows\system32\svchcst.exe "c:\windows\system32\4958812.bat",MainThread
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe "C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeProcess created: C:\Users\user\AppData\Local\Temp\look2.exe C:\Users\user\AppData\Local\Temp\\look2.exeJump to behavior
                              Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\svchcst.exe C:\Windows\system32\svchcst.exe "c:\windows\system32\4958812.bat",MainThreadJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeSection loaded: winmm.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeSection loaded: oledlg.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeSection loaded: olepro32.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeSection loaded: mfc42.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mfc42.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchcst.exeSection loaded: mfc42.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchcst.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchcst.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchcst.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchcst.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchcst.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchcst.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchcst.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchcst.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchcst.exeSection loaded: napinsp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchcst.exeSection loaded: pnrpnsp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchcst.exeSection loaded: wshbth.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchcst.exeSection loaded: nlaapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchcst.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchcst.exeSection loaded: winrnr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchcst.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Windows\SysWOW64\svchcst.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeFile written: C:\Windows\SysWOW64\ini.iniJump to behavior
                              Source: #U63d0#U53d6Proxy (1).exeStatic file information: File size 2376252 > 1048576
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdb source: cookie_exporter.exe0.0.dr, cookie_exporter.exe.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.0.dr
                              Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.0.dr
                              Source: Binary string: mpextms.pdb source: mpextms.exe0.0.dr
                              Source: Binary string: AppVDllSurrogate64.pdb source: AppVDllSurrogate64.exe.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\setup.exe.pdbOGP source: setup.exe0.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
                              Source: Binary string: rundll32.pdbGCTL source: svchost.exe, 00000005.00000003.2181089688.0000000003430000.00000004.00000020.00020000.00000000.sdmp, svchcst.exe, 00000006.00000000.2221730262.0000000000D01000.00000020.00000001.01000000.00000009.sdmp
                              Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.0.dr
                              Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\aimgr.pdb# source: aimgr.exe0.0.dr
                              Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: msoev.exe.0.dr
                              Source: Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.0.dr
                              Source: Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\olicenseheartbeat.pdb source: OLicenseHeartbeat.exe.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.0.dr
                              Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.0.dr
                              Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: AdobeARMHelper.exe.0.dr
                              Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
                              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb source: GRAPH.EXE.0.dr
                              Source: Binary string: r.pdb source: AppSharingHookController.exe.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedgewebview2.exe.pdb source: msedgewebview2.exe0.0.dr
                              Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
                              Source: Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.0.dr
                              Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\aimgr.pdb source: aimgr.exe0.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdbOGP source: cookie_exporter.exe0.0.dr, cookie_exporter.exe.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedgewebview2.exe.pdbOGP source: msedgewebview2.exe0.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\setup.exe.pdb source: setup.exe0.0.dr
                              Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\aimgr.pdb source: aimgr.exe.0.dr
                              Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: VC_redist.x64.exe.0.dr
                              Source: Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe0.0.dr, MpCmdRun.exe2.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.0.dr
                              Source: Binary string: AppVDllSurrogate64.pdbGCTL source: AppVDllSurrogate64.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb source: msoev.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\olicenseheartbeat.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OLicenseHeartbeat.exe.0.dr
                              Source: Binary string: MpCmdRun.pdb source: MpCmdRun.exe0.0.dr, MpCmdRun.exe2.0.dr
                              Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: AdobeARMHelper.exe.0.dr
                              Source: Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.0.dr
                              Source: Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.0.dr
                              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb<<7 source: ssvagent.exe.0.dr
                              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.0.dr
                              Source: Binary string: lper.pdb source: SDXHelper.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.0.dr
                              Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
                              Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\mini_installer.exe.pdb source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.0.dr
                              Source: Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.0.dr
                              Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.0.dr
                              Source: Binary string: rundll32.pdb source: svchost.exe, 00000005.00000003.2181089688.0000000003430000.00000004.00000020.00020000.00000000.sdmp, svchcst.exe, svchcst.exe, 00000006.00000000.2221730262.0000000000D01000.00000020.00000001.01000000.00000009.sdmp
                              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.0.dr
                              Source: Binary string: mpextms.pdbGCTL source: mpextms.exe0.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: GRAPH.EXE.0.dr
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00411DA0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,2_2_00411DA0
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_021D23F8 push ebp; ret 0_3_021D23F9
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_0221A0CC push eax; ret 0_3_0221A0EA
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_02218104 push eax; ret 0_3_02218132
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_02240F9B push eax; ret 0_3_02240FB9
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeCode function: 0_3_02241C17 push eax; ret 0_3_02241C45
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_004642C8 push eax; ret 2_2_004642E6
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00462300 push eax; ret 2_2_0046232E
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_0040A334 push eax; ret 3_2_0040A352
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_0040AFB0 push eax; ret 3_2_0040AFDE
                              Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_100094C0 push eax; ret 5_2_100094EE
                              Source: C:\Windows\SysWOW64\svchcst.exeCode function: 6_2_00D06883 push ecx; ret 6_2_00D06896
                              Source: C:\Windows\SysWOW64\svchcst.exeCode function: 6_2_00D0682D push ecx; ret 6_2_00D06840

                              Persistence and Installation Behavior

                              barindex
                              Yara detected Neshta
                              Source: Yara matchFile source: #U63d0#U53d6Proxy (1).exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.#U63d0#U53d6Proxy (1).exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000002.2601271801.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: #U63d0#U53d6Proxy (1).exe PID: 5424, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\svchost.com, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\look2.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED
                              Creates a Windows Service pointing to an executable in C:\Windows
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeKey value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters ServiceDll C:\Windows\system32\4958812.batJump to behavior
                              Drops PE files with a suspicious file extension
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Windows\svchost.comJump to dropped file
                              Drops executables to the windows directory (C:\Windows) and starts them
                              Source: C:\Windows\SysWOW64\svchost.exeExecutable created and started: C:\Windows\SysWOW64\svchcst.exeJump to behavior
                              Infects executable files (exe, dll, sys, html)
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Users\user\AppData\Local\Temp\chrome.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Google\Update\Install\{EB80938B-EC00-4683-A2CC-456206E3A4E1}\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_pwa_launcher.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\cookie_exporter.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\pwahelper.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exeJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedgewebview2.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Windows\svchost.comJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
                              Source: C:\Windows\SysWOW64\svchost.exeFile created: C:\Windows\SysWOW64\svchcst.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_proxy.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Users\user\AppData\Local\Temp\chrome.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeFile created: C:\Windows\SysWOW64\4958812.batJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Google\Update\Install\{EB80938B-EC00-4683-A2CC-456206E3A4E1}\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_pwa_launcher.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\cookie_exporter.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\Installer\setup.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\pwahelper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXEJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeFile created: C:\Users\user\AppData\Local\Temp\look2.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeFile created: C:\Windows\SysWOW64\4958812.batJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\Windows\svchost.comJump to dropped file
                              Source: C:\Windows\SysWOW64\svchost.exeFile created: C:\Windows\SysWOW64\svchcst.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeFile created: C:\Windows\SysWOW64\4958812.batJump to dropped file

                              Boot Survival

                              barindex
                              Yara detected Neshta
                              Source: Yara matchFile source: #U63d0#U53d6Proxy (1).exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.#U63d0#U53d6Proxy (1).exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000002.2601271801.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: #U63d0#U53d6Proxy (1).exe PID: 5424, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\svchost.com, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\look2.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED
                              Creates an undocumented autostart registry key
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULLJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULLJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svchcstJump to behavior
                              Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_10002310 OpenSCManagerA,_local_unwind2,CreateServiceA,GetLastError,OpenServiceA,StartServiceA,ChangeServiceConfig2A,ChangeServiceConfig2A,wsprintfA,StartServiceA,5_2_10002310
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_004107B0 IsWindow,IsIconic,SetActiveWindow,IsWindow,IsWindow,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,SetParent,SetWindowPos,IsWindow,SendMessageA,SendMessageA,DestroyAcceleratorTable,IsWindow,IsWindow,IsWindow,IsWindow,IsWindow,GetParent,GetFocus,IsWindow,SendMessageA,IsWindow,GetFocus,SetFocus,2_2_004107B0
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00460970 IsIconic,GetWindowPlacement,GetWindowRect,2_2_00460970
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00419220 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,2_2_00419220
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_0042B21D IsWindowVisible,IsIconic,3_2_0042B21D
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_00415330 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,3_2_00415330
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_004266D6 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,3_2_004266D6
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_00414B80 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,3_2_00414B80
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_00421D44 GetParent,GetParent,GetParent,IsIconic,3_2_00421D44
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_00402DAB IsIconic,GetWindowPlacement,GetWindowRect,3_2_00402DAB
                              Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_10006B50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,5_2_10006B50
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\svchcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\svchcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\svchcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                              Malware Analysis System Evasion

                              barindex
                              Contains functionality to detect sleep reduction / modifications
                              Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_10004DA05_2_10004DA0
                              Source: C:\Windows\SysWOW64\svchost.exeCode function: malloc,malloc,GetAdaptersInfo,free,malloc,GetAdaptersInfo,free,5_2_100041C0
                              Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 361Jump to behavior
                              Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 9636Jump to behavior
                              Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedgewebview2.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Windows\svchost.comJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_proxy.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Install\{EB80938B-EC00-4683-A2CC-456206E3A4E1}\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_pwa_launcher.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\cookie_exporter.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\Installer\setup.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\pwahelper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXEJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\look2.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeAPI coverage: 3.9 %
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeAPI coverage: 2.7 %
                              Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_10004DA05_2_10004DA0
                              Source: C:\Windows\SysWOW64\svchost.exe TID: 2888Thread sleep count: 361 > 30Jump to behavior
                              Source: C:\Windows\SysWOW64\svchost.exe TID: 2888Thread sleep time: -361000s >= -30000sJump to behavior
                              Source: C:\Windows\SysWOW64\svchost.exe TID: 2888Thread sleep count: 9636 > 30Jump to behavior
                              Source: C:\Windows\SysWOW64\svchost.exe TID: 2888Thread sleep time: -9636000s >= -30000sJump to behavior
                              Source: C:\Windows\SysWOW64\svchcst.exe TID: 1460Thread sleep count: 88 > 30Jump to behavior
                              Source: C:\Windows\SysWOW64\svchcst.exe TID: 1460Thread sleep time: -88000s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00471E54 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,2_2_00471E54
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00412510 FindNextFileA,FindClose,FindFirstFileA,FindClose,2_2_00412510
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00405240 FindFirstFileA,FindClose,2_2_00405240
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00419320 FindFirstFileA,FindClose,2_2_00419320
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00409630 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,2_2_00409630
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_0041E372 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,3_2_0041E372
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_0042051A FindFirstFileA,FindClose,3_2_0042051A
                              Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_10003F10 GetSystemInfo,wsprintfA,5_2_10003F10
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\Jump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Jump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Jump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\Jump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\Jump to behavior
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Jump to behavior
                              Source: svchcst.exe, 00000006.00000002.4657151559.00000000008B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeAPI call chain: ExitProcess graph end nodegraph_2-50301
                              Source: C:\Windows\SysWOW64\svchcst.exeAPI call chain: ExitProcess graph end node
                              Source: C:\Windows\SysWOW64\svchcst.exeCode function: 6_2_00D05E4F LdrResolveDelayLoadedAPI,6_2_00D05E4F
                              Source: C:\Windows\SysWOW64\svchcst.exeCode function: 6_2_00D025B2 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,6_2_00D025B2
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00411DA0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,2_2_00411DA0
                              Source: C:\Windows\SysWOW64\svchcst.exeCode function: 6_2_00D03F6B mov esi, dword ptr fs:[00000030h]6_2_00D03F6B
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_004368B0 GetProcessHeap,OleInitialize,GetModuleFileNameA,SetCurrentDirectoryA,LoadCursorA,GetStockObject,GetCurrentThreadId,2_2_004368B0
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0046C9A2 SetUnhandledExceptionFilter,2_2_0046C9A2
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0046C9B4 SetUnhandledExceptionFilter,2_2_0046C9B4
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_0040F826 SetUnhandledExceptionFilter,3_2_0040F826
                              Source: C:\Users\user\AppData\Local\Temp\look2.exeCode function: 3_2_0040F838 SetUnhandledExceptionFilter,3_2_0040F838
                              Source: C:\Windows\SysWOW64\svchcst.exeCode function: 6_2_00D06510 SetUnhandledExceptionFilter,6_2_00D06510
                              Source: C:\Windows\SysWOW64\svchcst.exeCode function: 6_2_00D061C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00D061C0

                              HIPS / PFW / Operating System Protection Evasion

                              barindex
                              Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exeJump to dropped file
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
                              Source: C:\Windows\SysWOW64\svchost.exeCode function: CreateToolhelp32Snapshot,Process32First,_strcmpi,OpenProcess,TerminateProcess,_strcmpi,OpenProcess,TerminateProcess,Process32Next,CloseHandle, explorer.exe5_2_10003C80
                              Source: C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe "C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe" Jump to behavior
                              Source: AutoIt3_x64.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_00463730 GetLocalTime,GetSystemTime,GetTimeZoneInformation,2_2_00463730
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0046CC1C GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,2_2_0046CC1C
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exeCode function: 2_2_0047B8B2 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,2_2_0047B8B2
                              Source: #U63d0#U53d6Proxy (1).exe, #U63d0#U53d6Proxy (1).exe, 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181205076.00000000025B1000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181760433.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181976397.00000000025B7000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000000.2177773403.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.2179542390.0000000000441000.00000008.00000001.01000000.00000006.sdmp, look2.exe, 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmp, svchost.exe, 00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmp, svchcst.exe, 00000006.00000002.4657492040.000000001000C000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: acs.exe
                              Source: #U63d0#U53d6Proxy (1).exe, #U63d0#U53d6Proxy (1).exe, 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181205076.00000000025B1000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181760433.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181976397.00000000025B7000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000000.2177773403.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.2179542390.0000000000441000.00000008.00000001.01000000.00000006.sdmp, look2.exe, 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmp, svchost.exe, svchost.exe, 00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: kxetray.exe
                              Source: #U63d0#U53d6Proxy (1).exe, #U63d0#U53d6Proxy (1).exe, 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181205076.00000000025B1000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181760433.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181976397.00000000025B7000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000000.2177773403.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.2179542390.0000000000441000.00000008.00000001.01000000.00000006.sdmp, look2.exe, 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmp, svchost.exe, 00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmp, svchcst.exe, 00000006.00000002.4657492040.000000001000C000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: vsserv.exe
                              Source: #U63d0#U53d6Proxy (1).exe, #U63d0#U53d6Proxy (1).exe, 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181205076.00000000025B1000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181760433.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181976397.00000000025B7000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000000.2177773403.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.2179542390.0000000000441000.00000008.00000001.01000000.00000006.sdmp, look2.exe, 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmp, svchost.exe, svchost.exe, 00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: avcenter.exe
                              Source: #U63d0#U53d6Proxy (1).exe, #U63d0#U53d6Proxy (1).exe, 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181205076.00000000025B1000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181760433.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181976397.00000000025B7000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000000.2177773403.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.2179542390.0000000000441000.00000008.00000001.01000000.00000006.sdmp, look2.exe, 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmp, svchost.exe, 00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmp, svchcst.exe, 00000006.00000002.4657492040.000000001000C000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: cfp.exe
                              Source: #U63d0#U53d6Proxy (1).exe, #U63d0#U53d6Proxy (1).exe, 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181205076.00000000025B1000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181760433.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181976397.00000000025B7000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000000.2177773403.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.2179542390.0000000000441000.00000008.00000001.01000000.00000006.sdmp, look2.exe, 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmp, svchost.exe, 00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmp, svchcst.exe, 00000006.00000002.4657492040.000000001000C000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: KSafeTray.exe
                              Source: #U63d0#U53d6Proxy (1).exe, #U63d0#U53d6Proxy (1).exe, 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181205076.00000000025B1000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181760433.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181976397.00000000025B7000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000000.2177773403.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.2179542390.0000000000441000.00000008.00000001.01000000.00000006.sdmp, look2.exe, 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmp, svchost.exe, svchost.exe, 00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: avp.exe
                              Source: #U63d0#U53d6Proxy (1).exe, #U63d0#U53d6Proxy (1).exe, 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181205076.00000000025B1000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181760433.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181976397.00000000025B7000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000000.2177773403.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.2179542390.0000000000441000.00000008.00000001.01000000.00000006.sdmp, look2.exe, 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmp, svchost.exe, svchost.exe, 00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: 360tray.exe
                              Source: #U63d0#U53d6Proxy (1).exe, #U63d0#U53d6Proxy (1).exe, 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181205076.00000000025B1000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181760433.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181976397.00000000025B7000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000000.2177773403.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.2179542390.0000000000441000.00000008.00000001.01000000.00000006.sdmp, look2.exe, 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmp, svchost.exe, 00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmp, svchcst.exe, 00000006.00000002.4657492040.000000001000C000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: rtvscan.exe
                              Source: #U63d0#U53d6Proxy (1).exe, #U63d0#U53d6Proxy (1).exe, 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181205076.00000000025B1000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181760433.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181976397.00000000025B7000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000000.2177773403.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.2179542390.0000000000441000.00000008.00000001.01000000.00000006.sdmp, look2.exe, 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmp, svchost.exe, svchost.exe, 00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: ashDisp.exe
                              Source: #U63d0#U53d6Proxy (1).exe, #U63d0#U53d6Proxy (1).exe, 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181205076.00000000025B1000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181760433.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181976397.00000000025B7000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000000.2177773403.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.2179542390.0000000000441000.00000008.00000001.01000000.00000006.sdmp, look2.exe, 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmp, svchost.exe, svchost.exe, 00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: TMBMSRV.exe
                              Source: #U63d0#U53d6Proxy (1).exe, #U63d0#U53d6Proxy (1).exe, 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181205076.00000000025B1000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181760433.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181976397.00000000025B7000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000000.2177773403.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.2179542390.0000000000441000.00000008.00000001.01000000.00000006.sdmp, look2.exe, 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmp, svchost.exe, 00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmp, svchcst.exe, 00000006.00000002.4657492040.000000001000C000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: avgwdsvc.exe
                              Source: #U63d0#U53d6Proxy (1).exe, #U63d0#U53d6Proxy (1).exe, 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181205076.00000000025B1000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181760433.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181976397.00000000025B7000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000000.2177773403.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.2179542390.0000000000441000.00000008.00000001.01000000.00000006.sdmp, look2.exe, 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmp, svchost.exe, 00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmp, svchcst.exe, 00000006.00000002.4657492040.000000001000C000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: AYAgent.aye
                              Source: #U63d0#U53d6Proxy (1).exe, #U63d0#U53d6Proxy (1).exe, 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181205076.00000000025B1000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181760433.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181976397.00000000025B7000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000000.2177773403.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.2179542390.0000000000441000.00000008.00000001.01000000.00000006.sdmp, look2.exe, 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmp, svchost.exe, 00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmp, svchcst.exe, 00000006.00000002.4657492040.000000001000C000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: QUHLPSVC.EXE
                              Source: #U63d0#U53d6Proxy (1).exe, #U63d0#U53d6Proxy (1).exe, 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181205076.00000000025B1000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181760433.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181976397.00000000025B7000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000000.2177773403.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.2179542390.0000000000441000.00000008.00000001.01000000.00000006.sdmp, look2.exe, 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmp, svchost.exe, svchost.exe, 00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: RavMonD.exe
                              Source: #U63d0#U53d6Proxy (1).exe, #U63d0#U53d6Proxy (1).exe, 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181205076.00000000025B1000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181760433.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181976397.00000000025B7000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000000.2177773403.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.2179542390.0000000000441000.00000008.00000001.01000000.00000006.sdmp, look2.exe, 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmp, svchost.exe, svchost.exe, 00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: Mcshield.exe
                              Source: #U63d0#U53d6Proxy (1).exe, #U63d0#U53d6Proxy (1).exe, 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181205076.00000000025B1000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181760433.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000003.2181976397.00000000025B7000.00000004.00000020.00020000.00000000.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000000.2177773403.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U63d0#U53d6Proxy (1).exe, 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.2179542390.0000000000441000.00000008.00000001.01000000.00000006.sdmp, look2.exe, 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmp, svchost.exe, 00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmp, svchcst.exe, 00000006.00000002.4657492040.000000001000C000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: K7TSecurity.exe

                              Stealing of Sensitive Information

                              barindex
                              Yara detected Gh0stCringe
                              Source: Yara matchFile source: 3.2.look2.exe.441158.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 6.2.svchcst.exe.10000000.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.2.look2.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000006.00000002.4657492040.000000001000C000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: look2.exe PID: 3468, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1060, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: svchcst.exe PID: 6008, type: MEMORYSTR
                              Yara detected Neshta
                              Source: Yara matchFile source: #U63d0#U53d6Proxy (1).exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.#U63d0#U53d6Proxy (1).exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000002.2601271801.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: #U63d0#U53d6Proxy (1).exe PID: 5424, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\svchost.com, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\look2.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED
                              Yara detected RunningRAT
                              Source: Yara matchFile source: #U63d0#U53d6Proxy (1).exe, type: SAMPLE
                              Source: Yara matchFile source: 6.2.svchcst.exe.10000000.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.0.#U63d0#U53d6Proxy (1).exe.481a63.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.3.#U63d0#U53d6Proxy (1).exe.2237867.0.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.#U63d0#U53d6Proxy (1).exe.481a63.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.3.#U63d0#U53d6Proxy (1).exe.2874a8b.2.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.0.look2.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.2.look2.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.3.#U63d0#U53d6Proxy (1).exe.2874a8b.2.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.3.#U63d0#U53d6Proxy (1).exe.2632a83.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.3.#U63d0#U53d6Proxy (1).exe.2638a8b.4.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.3.#U63d0#U53d6Proxy (1).exe.2237867.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.3.#U63d0#U53d6Proxy (1).exe.2632a83.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.3.#U63d0#U53d6Proxy (1).exe.2638a8b.4.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.0.#U63d0#U53d6Proxy (1).exe.481a63.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.#U63d0#U53d6Proxy (1).exe.481a63.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.#U63d0#U53d6Proxy (1).exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.0.#U63d0#U53d6Proxy (1).exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000006.00000002.4657492040.000000001000C000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000003.00000000.2179542390.0000000000441000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000003.2181760433.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000000.2177773403.0000000000480000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000003.2181205076.00000000025B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000003.2181976397.00000000025B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: #U63d0#U53d6Proxy (1).exe PID: 5424, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: #U63d0#U53d6Proxy (1).exe PID: 6288, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: look2.exe PID: 3468, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1060, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: svchcst.exe PID: 6008, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\look2.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\SysWOW64\4958812.bat, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe, type: DROPPED

                              Remote Access Functionality

                              barindex
                              Yara detected Gh0stCringe
                              Source: Yara matchFile source: 3.2.look2.exe.441158.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 6.2.svchcst.exe.10000000.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.2.look2.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000006.00000002.4657492040.000000001000C000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: look2.exe PID: 3468, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1060, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: svchcst.exe PID: 6008, type: MEMORYSTR
                              Yara detected RunningRAT
                              Source: Yara matchFile source: #U63d0#U53d6Proxy (1).exe, type: SAMPLE
                              Source: Yara matchFile source: 6.2.svchcst.exe.10000000.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.0.#U63d0#U53d6Proxy (1).exe.481a63.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.3.#U63d0#U53d6Proxy (1).exe.2237867.0.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.#U63d0#U53d6Proxy (1).exe.481a63.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.3.#U63d0#U53d6Proxy (1).exe.2874a8b.2.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.0.look2.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.2.look2.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.3.#U63d0#U53d6Proxy (1).exe.2874a8b.2.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.3.#U63d0#U53d6Proxy (1).exe.2632a83.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.3.#U63d0#U53d6Proxy (1).exe.2638a8b.4.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.3.#U63d0#U53d6Proxy (1).exe.2237867.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.3.#U63d0#U53d6Proxy (1).exe.2632a83.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.3.#U63d0#U53d6Proxy (1).exe.2638a8b.4.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.0.#U63d0#U53d6Proxy (1).exe.481a63.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.#U63d0#U53d6Proxy (1).exe.481a63.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.#U63d0#U53d6Proxy (1).exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.0.#U63d0#U53d6Proxy (1).exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000006.00000002.4657492040.000000001000C000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000003.00000000.2179542390.0000000000441000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000003.2181760433.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000000.2177773403.0000000000480000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000003.2181205076.00000000025B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000003.2181976397.00000000025B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: #U63d0#U53d6Proxy (1).exe PID: 5424, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: #U63d0#U53d6Proxy (1).exe PID: 6288, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: look2.exe PID: 3468, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1060, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: svchcst.exe PID: 6008, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\look2.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\SysWOW64\4958812.bat, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe, type: DROPPED
                              Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_100078D0 socket,bind,getsockname,inet_addr,5_2_100078D0
                              Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_100073B0 socket,htons,bind,closesocket,listen,closesocket,getsockname,htons,CreateThread,CreateThread,CreateThread,5_2_100073B0

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity InformationAcquire Infrastructure1
                              Valid Accounts                              		1
                              Native API                              		1
                              DLL Side-Loading                              		1
                              DLL Side-Loading                              		1
                              Disable or Modify Tools                              		21
                              Input Capture                              		2
                              System Time Discovery                              		1
                              Taint Shared Content                              		1
                              Archive Collected Data                              		1
                              Ingress Tool Transfer                              		Exfiltration Over Other Network Medium1
                              System Shutdown/Reboot
                              CredentialsDomainsDefault Accounts2
                              Command and Scripting Interpreter                              		1
                              Valid Accounts                              		1
                              Valid Accounts                              		1
                              Deobfuscate/Decode Files or Information                              		LSASS Memory4
                              File and Directory Discovery                              		Remote Desktop Protocol21
                              Input Capture                              		1
                              Encrypted Channel                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain Accounts12
                              Service Execution                              		122
                              Windows Service                              		1
                              Access Token Manipulation                              		3
                              Obfuscated Files or Information                              		Security Account Manager5
                              System Information Discovery                              		SMB/Windows Admin Shares3
                              Clipboard Data                              		1
                              Non-Application Layer Protocol                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCron1
                              Registry Run Keys / Startup Folder                              		122
                              Windows Service                              		1
                              DLL Side-Loading                              		NTDS241
                              Security Software Discovery                              		Distributed Component Object ModelInput Capture1
                              Application Layer Protocol                              		Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script23
                              Process Injection                              		23
                              Masquerading                              		LSA Secrets1
                              Virtualization/Sandbox Evasion                              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                              Registry Run Keys / Startup Folder                              		1
                              Valid Accounts                              		Cached Domain Credentials12
                              Process Discovery                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                              Virtualization/Sandbox Evasion                              		DCSync11
                              Application Window Discovery                              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                              Access Token Manipulation                              		Proc Filesystem1
                              System Network Configuration Discovery                              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt23
                              Process Injection                              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560004 Sample: #U63d0#U53d6Proxy (1).exe Startdate: 21/11/2024 Architecture: WINDOWS Score: 100 40 kinh.xmcxmr.com 2->40 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for dropped file 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 10 other signatures 2->50 8 #U63d0#U53d6Proxy (1).exe 5 2->8         started        12 svchost.exe 2->12         started        14 svchost.exe 1 2->14         started        signatures3 process4 file5 30 C:\Windows\svchost.com, PE32 8->30 dropped 32 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 8->32 dropped 34 C:\Users\user\...\#U63d0#U53d6Proxy (1).exe, PE32 8->34 dropped 38 172 other malicious files 8->38 dropped 54 Creates an undocumented autostart registry key 8->54 56 Infects executable files (exe, dll, sys, html) 8->56 16 #U63d0#U53d6Proxy (1).exe 2 8->16         started        58 Checks if browser processes are running 12->58 60 Contains functionality to detect sleep reduction / modifications 12->60 36 C:\Windows\SysWOW64\svchcst.exe, PE32 14->36 dropped 62 Drops executables to the windows directory (C:\Windows) and starts them 14->62 19 svchcst.exe 14->19         started        signatures6 process7 dnsIp8 26 C:\Users\user\AppData\Local\Temp\look2.exe, PE32 16->26 dropped 22 look2.exe 3 2 16->22         started        42 kinh.xmcxmr.com 127.0.0.1 unknown unknown 19->42 file9 process10 file11 28 C:\Windows\SysWOW64\4958812.bat, PE32 22->28 dropped 52 Creates a Windows Service pointing to an executable in C:\Windows 22->52 signatures12

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              #U63d0#U53d6Proxy (1).exe97%ReversingLabsWin32.Virus.Neshta
                              #U63d0#U53d6Proxy (1).exe100%AviraW32/Neshta.A
                              #U63d0#U53d6Proxy (1).exe100%Joe Sandbox ML

                              Dropped Files

                              SourceDetectionScannerLabelLink
                              C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\AutoIt3\Uninstall.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\AutoIt3\Au3Check.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\AutoIt3\Au3Info.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE100%AviraW32/Neshta.A
                              C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%AviraW32/Neshta.A
                              C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\AutoIt3\Uninstall.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\AutoIt3\Au3Check.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\AutoIt3\Au3Info.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE100%Joe Sandbox ML
                              C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\AutoIt3\Au3Check.exe95%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\AutoIt3\Au3Info.exe95%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe95%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe95%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe95%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe97%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe95%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe95%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\AutoIt3\Uninstall.exe95%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe97%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Java\jre-1.8\bin\java.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe100%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE100%ReversingLabsWin32.Virus.Neshta

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              No Antivirus matches

                              URLs

                              SourceDetectionScannerLabelLink
                              http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte0%Avira URL Cloudsafe

                              Domains and IPs

                              Contacted Domains

                              NameIPActiveMaliciousAntivirus DetectionReputation
                              kinh.xmcxmr.com
                              		127.0.0.1
                              		truefalse
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://www.autoitscript.com/autoit3/JAutoIt3_x64.exe.0.drfalse
                                  		high
                                  http://www.eyuyan.com)DVarFileInfo$#U63d0#U53d6Proxy (1).exefalse
                                    		high
                                    https://crashpad.chromium.org/msedgewebview2.exe0.0.drfalse
                                      		high
                                      https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilithmsedge_pwa_launcher.exe.0.dr, msedgewebview2.exe0.0.dr, setup.exe0.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.drfalse
                                        		high
                                        https://crashpad.chromium.org/bug/newmsedgewebview2.exe0.0.drfalse
                                          		high
                                          http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporteintegrator.exe.0.drfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.autoitscript.com/autoit3/8Aut2exe.exe.0.drfalse
                                            		high
                                            http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgorVC_redist.x64.exe.0.drfalse
                                              		high
                                              http://nsis.sf.net/NSIS_ErrorError#U63d0#U53d6Proxy (1).exe, 00000000.00000002.2601112407.0000000000190000.00000004.00000010.00020000.00000000.sdmp, Uninstall.exe.0.drfalse
                                                		high
                                                http://www.autoitscript.com/autoit3/Aut2exe.exe.0.drfalse
                                                  		high
                                                  https://www.autoitscript.com/autoit3/Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drfalse
                                                    		high
                                                    https://crashpad.chromium.org/https://crashpad.chromium.org/bug/newmsedgewebview2.exe0.0.drfalse
                                                      		high
                                                      https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffmsedge_pwa_launcher.exe.0.dr, msedgewebview2.exe0.0.dr, setup.exe0.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.drfalse
                                                        		high
                                                        https://login.windows.net/commonhttps://login.windows.netDBSFetcher::CreateRequestHeaderOLicenseHeartbeat.exe.0.drfalse
                                                          		high

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious

                                                          Private

                                                          IP
                                                          127.0.0.1

                                                          General Information

                                                          Joe Sandbox version:41.0.0 Charoite
                                                          Analysis ID:1560004
                                                          Start date and time:2024-11-21 09:39:07 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 10m 33s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:9
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:#U63d0#U53d6Proxy (1).exe
                                                          renamed because original name is a hash value
                                                          Original Sample Name:Proxy (1).exe
                                                          Detection:MAL
                                                          Classification:mal100.spre.bank.troj.evad.winEXE@9/180@7/1
                                                          EGA Information:
                                                          • Successful, ratio: 80%
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 45
                                                          • Number of non-executed functions: 318
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe
                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                          • Execution Graph export aborted for target #U63d0#U53d6Proxy (1).exe, PID 5424 because there are no executed function
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                          • Report size getting too big, too many NtCreateFile calls found.
                                                          • Report size getting too big, too many NtOpenFile calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • VT rate limit hit for: #U63d0#U53d6Proxy (1).exe

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          03:40:42API Interceptor9817990x Sleep call for process: svchost.exe modified
                                                          03:41:51API Interceptor56x Sleep call for process: svchcst.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          No context

                                                          Domains

                                                          No context

                                                          ASNs

                                                          No context

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          C:\Program Files (x86)\AutoIt3\Au3Check.exeOvtc3T3fD8.exeGet hashmaliciousINC Ransomware, NeshtaBrowse
                                                            a.htaGet hashmaliciousDarkComet, DarkTortilla, NeshtaBrowse
                                                              win.exeGet hashmaliciousLynx, NeshtaBrowse
                                                                bWrRSlOThY.exeGet hashmaliciousAsyncRAT, NeshtaBrowse
                                                                  ex - k.exeGet hashmaliciousNeshtaBrowse
                                                                    DefenderControl.exeGet hashmaliciousNeshtaBrowse
                                                                      KaUsrTsk.exeGet hashmaliciousNeshtaBrowse
                                                                        LfZoUaTFP7.exeGet hashmaliciousNeshta, XRedBrowse
                                                                          TQ1Aw6M5eY.exeGet hashmaliciousNeshta, XRedBrowse
                                                                            rfQ3afwShz.exeGet hashmaliciousAsyncRAT, Neshta, PureLog Stealer, RedLineBrowse

                                                                              Created / dropped Files

                                                                              C:\Program Files (x86)\AutoIt3\Au3Check.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):275560
                                                                              Entropy (8bit):6.2970746701197715
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CqP5KVkD8QC2mCBFv9m7usyT8tKQ9clyPqlO91/iDVSsWUG0bCP0BwOvOIXM:k9q4VQjVsxyItKQNhigibKCM
                                                                              MD5:C5611345B2807155BF89ECA90379AB14
                                                                              SHA1:03A0F7BD2A50895DF6A9311DB3E5C58B574E1BA3
                                                                              SHA-256:6AB1464D7BA02FA63FDDFAF5295237352F14F7AF63E443E55D3FFB68A304C304
                                                                              SHA-512:18C164973DE987AD9ED1CFCB2AE5557238692B5C50E0F8B8DCECF0B11B2DADBA6C0B5990C532AE8DB578F04BD1CAB3086C78493866C8B989A41DD6251693CA98
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 95%
                                                                              Joe Sandbox View:
                                                                              • Filename: Ovtc3T3fD8.exe, Detection: malicious, Browse
                                                                              • Filename: a.hta, Detection: malicious, Browse
                                                                              • Filename: win.exe, Detection: malicious, Browse
                                                                              • Filename: bWrRSlOThY.exe, Detection: malicious, Browse
                                                                              • Filename: ex - k.exe, Detection: malicious, Browse
                                                                              • Filename: DefenderControl.exe, Detection: malicious, Browse
                                                                              • Filename: KaUsrTsk.exe, Detection: malicious, Browse
                                                                              • Filename: LfZoUaTFP7.exe, Detection: malicious, Browse
                                                                              • Filename: TQ1Aw6M5eY.exe, Detection: malicious, Browse
                                                                              • Filename: rfQ3afwShz.exe, Detection: malicious, Browse
                                                                              Reputation:moderate, very likely benign file
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\AutoIt3\Au3Info.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):217704
                                                                              Entropy (8bit):6.606010943993646
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CFxFVaK4T6fWSlXe0lJQafeyrR0kr/yh5DEU/Pk13TfwqiTP0McBUNnUxTtM:k9P2K4TSFo5Y683TdiQMcGNUl4N
                                                                              MD5:D103610D5A97A461DE47D79EBC364E23
                                                                              SHA1:B7AC0C939E39117C2FA939D47322A8B9FAF5AD0D
                                                                              SHA-256:6CF772752F25B150052F17600F5D08876E87FCAF774CE834A896688B1836BFD7
                                                                              SHA-512:97A467B62C96BF51CC5904B1EF1CB0D416364B2C835A326BFE7F5357823B07F5541C8DF5AD2195583ED108B90E5EDF820E2C3CAD42CFAA5FB67BF8CC1B9026E2
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 95%
                                                                              Reputation:moderate, very likely benign file
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):237160
                                                                              Entropy (8bit):6.441042873341931
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CuyRnuBGwl/1Gc9QnvGqyWQ93kr/yh5DEU/P5kP0zU35iuvQBUeGMLu:k9tl3wdYtcH9b5Y651zU77Ea
                                                                              MD5:3256A5B6BEBFC57A3CC7C74801B06B57
                                                                              SHA1:7AEFDEDF3B79F68884A780082FC12AF565FE80DA
                                                                              SHA-256:A2791E10861628C1AC263A540A6D575275F9E3E22A31BB62AB1320EAAED0C982
                                                                              SHA-512:111928B9435B7F6721919E58C3248E985C1FA76EB2E9C18559374847C6B8F54499BE6FDA36724F568384A32F1E4D91EC6F0A51ABECFE585740CE1916E5205B09
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 95%
                                                                              Reputation:moderate, very likely benign file
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1675872
                                                                              Entropy (8bit):7.455008835300499
                                                                              Encrypted:false
                                                                              SSDEEP:24576:LC51xB6B9YNgqe1xTVIlz7X9zOo4PjnikEpx/nLWvJ+l:sK0eqkSR7Xgo4TiRPnLWvJY
                                                                              MD5:3E25798A6593021C594E9B0F5E4D1CC0
                                                                              SHA1:0F412F338A8323C62D21606629B121DDC5A11C2F
                                                                              SHA-256:4ED44421F087BC78474EE5512BC85FDF8602D651C144CC97449C332E19B07C10
                                                                              SHA-512:ABAF3628ADB6C48F606DFE67EB777EB3C2B5D3E635996E6E673E3183ACC766A5E0341F1FB79436268DCF0FFF6889F997A77344CC39CC65D06248ADE8A9F43991
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 95%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1841760
                                                                              Entropy (8bit):7.348031538890329
                                                                              Encrypted:false
                                                                              SSDEEP:24576:5EeK2NocwiN/jc41p3qp11JsqbhOUe1xTVIlz7X9zOo4PjnikEpx/nLWvJ+i:rfYP1JsEDkSR7Xgo4TiRPnLWvJD
                                                                              MD5:A80324ADD872CA0150B9A23F0FE412D0
                                                                              SHA1:D8B4074235B24DB9B9238FE7985C4D0A909297E1
                                                                              SHA-256:6BB5BB976CDDCA2A12E007B6B65E675990ABE3819906069DD6DB5867C0AFD943
                                                                              SHA-512:BC1AE9D3976F210F161EE1B8E43698C9B717E216B3E35F6E15C7D38FE5D82DEFB843104B0FBEF56842E7B10CF50DFE2206F7E5C2117AFF0D99AB7B4EE7708915
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):346624
                                                                              Entropy (8bit):7.904139028422803
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9ypXDXz7yIrozs0WuNd3ojusBdgnNW6r4F53ttuGENGFdVCLEYnPO1D7YYoSyZV:V9zGImAjJdcH4j3ttzFdVCLNSfHoSWCG
                                                                              MD5:4D2A6099D369E478E6B97ECA38DF66FF
                                                                              SHA1:F8A2EFB513BC22A550E1DAADB7765D3691795D05
                                                                              SHA-256:E8657C5096C1D6059D7862D842C93EE9D7C16331EFBEC02C99BECA1ACEF0E4D7
                                                                              SHA-512:7BC01CBF7A591AAC71439A126940D1374B6BB49A3109651EB9525026EAB22AD70558FFB8723838C33830467D1B7DBE72E76BA84925BFECD405E10B83FFDF8A45
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 95%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):165976
                                                                              Entropy (8bit):6.142151879298232
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85C54kvQ4gXIRSG+7IJqC3CJyoDjpBnjkP0XGx2SYg+b/Q+y1s3:k96nGZLknnj1X62SYdb4I
                                                                              MD5:DC83EC579923AE57218540FC07BF2040
                                                                              SHA1:E66D11E9A1E1C5FAD6A6D7B3F4ABDEB1A446A873
                                                                              SHA-256:13E946747F9CD00EC7347780C1D0887C22EE43B8677337B32B0C9CA8070E09B5
                                                                              SHA-512:3990D01D0B492961B1F15A15BA12E0213A5C5B72D5B2809B2A58BFF6A2AB2C37058540D8C9F8E5524FA6EBBE72A0BEB1317AA07D06E8D326DCC234EF4F82CC13
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 97%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1113176
                                                                              Entropy (8bit):6.4474669878621365
                                                                              Encrypted:false
                                                                              SSDEEP:24576:wTC6Rb6qu1PyC+NRLtpScpzbtT7pyOolKL8Sq/jrc5xaNIBg:w+6AqSPyC+NltpScpzbtvpJoMQSq/jrL
                                                                              MD5:17047620C59D9FE748AA05010D507AC9
                                                                              SHA1:5B0D5B70529A435FF5BC75376B472393485C9871
                                                                              SHA-256:C539E191A88228427976838CDBEC85CCDBD82540544615055E8F91BE803568D5
                                                                              SHA-512:21EE706E62D205C09602EDAC232878743F46EEDDF76CD6625926F7C64E89AB27883497A1785D31D8D354E0F20C05C39F39566F6505450B9DB47D057FD7E5BAA1
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 95%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):2414080
                                                                              Entropy (8bit):6.729178086017267
                                                                              Encrypted:false
                                                                              SSDEEP:49152:3EGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL8:U4OEtwiICvYMpfc
                                                                              MD5:249BBE06632E2A230917599D7E07C3B0
                                                                              SHA1:E61C25BBEBA924006CA9DCED18549C72856FC205
                                                                              SHA-256:A232299F45362340795849140E955B1FE202928E21FF5BB016A03471C80A2FA3
                                                                              SHA-512:537050319C5BC05A3DF9A5629CAD25FC2CD4A28078CF6932C0434F5FF135653300D90030D1F097607FD7257130D70A91B7235AAD82A07199891C25E8EE5DD8B1
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 95%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\AutoIt3\Uninstall.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):113233
                                                                              Entropy (8bit):6.788395365702366
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CWCrNGEtajbefY/TU9fE9PEtuGCrK:k9WCrAEt+cYa6YCrK
                                                                              MD5:BA9FF8A299799820F7252C401EA47ECB
                                                                              SHA1:D8123BDB9E57F1364E304209F149360880F26C3F
                                                                              SHA-256:6938E7E71C8AB309A57D7C7C2B764F888AD6A9B8807200E573CA6B7183B11FF6
                                                                              SHA-512:A62D6818EFB2FAAE9012377319277B7E8F31FD32326EFE1011D1D874006B3C6020DC3F4DE429B9DD4F4B137E2954A0469DEF997692BA72DF21AFC0F6B505C54B
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 95%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):409608
                                                                              Entropy (8bit):6.462760862163708
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9hvqF1Ged2RYbguEuFuTkdj+zRGa7JkjrXyPyMMWvpBVOaqahUqjAGT:LbgvuFuQdj+zRTJkX8yMhB3jhBAi
                                                                              MD5:1641D233388AEAE9D77CFC976D5427FD
                                                                              SHA1:C33533FCDC02E6255A1863102038C961E82BFD63
                                                                              SHA-256:D996D5C70C926BD6265607C6536C2B575427F11046E5FCA5AC32768E2AE81EF6
                                                                              SHA-512:A959BC2A3F6A96EC44EE1F58A0E5C6D791158D4935DE8357091A273F2120993438B4883A9C919824F7C6D91462F7B97C7BAA6B3AF4829B63204A5135D4895CDD
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):214512
                                                                              Entropy (8bit):6.4940889932550885
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CxGnUI/9FXK4+PoSZSb5qURwubvvnzdl1CkTlxAenDl3SoxceC76JNKjzDI5:k9xGUcsvZZvUmubv7hTHA8l3yROJyDI5
                                                                              MD5:BB00882A877F34EF5C0FB4FEEFE0C351
                                                                              SHA1:79B64FE2910FF50820B0C83BD52857ADBAEE5AC2
                                                                              SHA-256:45E860894975F6F06D453668E5A4BC99A9C9F20E1D10B29C889280C03FBD6174
                                                                              SHA-512:C7EBBA30720AE9482D889C27A7434328D098A66CC08BFD6A4F96B92C7799FB6E3784BD63BA00E5C03F168D45B164DAB8953042AAF1D9450452C217A9C724AAB9
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):568400
                                                                              Entropy (8bit):6.67410873638024
                                                                              Encrypted:false
                                                                              SSDEEP:12288:pyvTCXdXikLj2jR7trg6Qi3vYsKTU00vq:pyyLj8trn3wsq0vq
                                                                              MD5:4742CA122FBE7E689F0AB4DCE9507986
                                                                              SHA1:5DF6FDFA6E97A57A4F957EEB4520BA378F850B16
                                                                              SHA-256:D91AA424DAFC703F0DD4173FDFAF017F8203D42F78E2219C21714E81F740991B
                                                                              SHA-512:0643D24C897A268C2537F0EA885AB7C1263E1648AEE3350521C04695ABAABC2908C5A1F262C17A6918C30608D40D1B61A5EE9A0BB027BDFF9D8D6FA7AFA7996F
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1252432
                                                                              Entropy (8bit):6.763931251276611
                                                                              Encrypted:false
                                                                              SSDEEP:24576:R0n7Ubxk/uRvJqLGJLQ4a56duA/85RkV4l7/ZeoMOp:S4iwwGJra0uAUfkVy7/ZX
                                                                              MD5:B248EF0A955B4F85B13A4F2039C4F757
                                                                              SHA1:B48E6437A4D0998F47606660AE97BAD147D2E873
                                                                              SHA-256:E46F55F9E2C74FD3E46A67DA5CB29EB2458ABCF8134D2E447AE91F408B5CD3DD
                                                                              SHA-512:EE58707EF36F8E0499CD45C985A91390241064F07CFB1F74B2F5AF1270631C5DB34A9F517F89C45EADF9D8914301C24A80359C22589934C98716E472AC21AB50
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):790096
                                                                              Entropy (8bit):6.746361102520175
                                                                              Encrypted:false
                                                                              SSDEEP:12288:/MvcR0D0B6PyxoxIlZwM+R6R4uFjs1Z7FMN0TzJqccvbXkN58AuimIh:TR0gB6axoCfyR6RLQRF/TzJqe58BimIh
                                                                              MD5:CC11EF3CDA871E739075E19C7E011FFB
                                                                              SHA1:C0B20B62646FB9C3C3AAA61BA6D806AAE86FC93B
                                                                              SHA-256:5F4334AE0F8BB573E6179BABD9C7DF94C0FA33A081390FEE7C04DDBEF1CE5BC4
                                                                              SHA-512:4DF027A3FF53C549AE181C43BDA619460A373E96564B448C74EEFA5ECD820A39B51C763FA5FDCCED1939CF900E51826E5D6087272E91DD95629E2C7615B268E0
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):562776
                                                                              Entropy (8bit):6.434910305077969
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9H0dzerObMhDGJ9UM3sunrXj9BMHmD1tYFLqY/W5R02qO7VKCy7KCzDSEBPj:peqbWqB3sunrT9+aYFLq3ny7JSEBPj
                                                                              MD5:AAFEB56FD7F7B3864CE0172C11BFFC87
                                                                              SHA1:8628FEF6AA9346B4CA3E0534632AC831DA737C15
                                                                              SHA-256:8620ED2307EE8B35B5109D765F8BFBF8FDC2CF5D451E52706F9C5C2A13248609
                                                                              SHA-512:16BD91F2F348D6FB6B35AD47225B9CF80AD0EC5D0BEB0AEEF7D84D9CE164DCE23DBAE529CCCEC7CD6577E115935D93913DCF6446C92499C96BA11E986271E5FE
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):127512
                                                                              Entropy (8bit):6.339948095606413
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CqPo10JOSdnvEhEyr1hg9uCRFRzsxeZ:k9qg1MOc81hmRFJs0Z
                                                                              MD5:1307001D8EECE24439EE9F2E353163CA
                                                                              SHA1:0D5EC348BFB5B53CF8A0AEE1FD325BA0BAC476B2
                                                                              SHA-256:D5842746263ED287CEFF18A1C03D784AEB007D7BF63D6548C324B21FE7B6F3D5
                                                                              SHA-512:5A23D430C6117CC2467E2FBA4935829EED4752A6F10F2AEE81C66B239567BC3A3F2822D3A039AE450CF5CC89F27FED2E1EFCC8260D5A650AD3570671D65B247A
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):299136
                                                                              Entropy (8bit):6.791456127636419
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9/0LYbH0QQchx73BeFStIhEWDoZvynCMj+TwW:G0EbH0j4x7R6SvyCMqn
                                                                              MD5:7663DA5345AED4E2CE3AE00F1569BAD3
                                                                              SHA1:10BF6A77F04B10292030C2456066EB519A4F50A0
                                                                              SHA-256:14093EE670E445270AD20D7451E89F37B7E8335C5EC73460A0154232852BA3C6
                                                                              SHA-512:1F8E1BEFA7E2462CA5C0DEB8756DF7B8FFD71D82F09FA0B93EF9CA2D32CACB21688713F5AFA8053B9F83463E9253D428818AA9334202ACB147A608827E4027F1
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):299136
                                                                              Entropy (8bit):6.793867878392893
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9/lXCs7zYA9xiNFiVg7s/uDoeBvhI7W6w9:GlXCs/YAh/elvhI7Wd
                                                                              MD5:BB0E7591812BC27C3D6D3DA565AF925B
                                                                              SHA1:BCF62126B5381B32D7C614EFDFA30CF7F385463D
                                                                              SHA-256:F251861114A4932B3AE9FDC95524EED50D2BD6DBE1E498C48FAE4BD095D4BD7F
                                                                              SHA-512:EA133EB067DC32BE2EE47D1BC50CE77FA87DA2379CA5991EDB837EAED7BCE9BDAAA179A7997220E0D8520926F846D998948B92607DA330128D74B1E000E8E1A5
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):437888
                                                                              Entropy (8bit):6.42684511221715
                                                                              Encrypted:false
                                                                              SSDEEP:12288:GGNKdHVnfiMB7yIL+5IyoiYv5jPaeTmJWIvDxT9ULX8PCM:9KiBLZ05jNTmJWExixM
                                                                              MD5:2607BC5BE23EF6AFA96E1B243164745B
                                                                              SHA1:50B602076CB054022A35790FDCF0512CA1D9B68D
                                                                              SHA-256:EE438CBF24A8CC6303A4930BD3D84EA306C350A92384F3705364058BECAB050A
                                                                              SHA-512:59C7C4CF7B43726B774A4BE770B5B02573EDBE035C3DEAC909EC3230A1A05A2E2D6814F08F9D81F9E86433748082D1A04B914C7444585D90D511C348C8367D33
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):343328
                                                                              Entropy (8bit):6.646237652723173
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9zkTpB8HHvBjruphfgesnAhAOQp2EwckjQx+m8zhPLlZp3:OklinJruphfg26p2Ewix+m8Nln3
                                                                              MD5:E08B11A49D68A60193D50788A23FEEC1
                                                                              SHA1:5348D03F4BE33DE456F7E319C1F0F0DD2B281881
                                                                              SHA-256:AD46D94722B50EED787512D44634295F8EAC6AB5851F75CC14B40DB095D18244
                                                                              SHA-512:F397CA818F0F9902DC4111D240C6CE0E29B75477B4571D89BE9F4BEC2144AFE6E1BECC6058E3701B18C0090BF2FA15C8153173C024203655A3D757572E7E6DF5
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):443680
                                                                              Entropy (8bit):6.399332197842204
                                                                              Encrypted:false
                                                                              SSDEEP:12288:r3gaHC2zUM2WJoROZVXk8hbodzbaw8x0Cx+wnx:rx5k8hb0Haw+x5x
                                                                              MD5:BFEF6D485809D5E865C0CE57F5C30761
                                                                              SHA1:67C6C40D604D094508A7A54B2C1B984D6B284B16
                                                                              SHA-256:AF62AE439BF04032F161BE6720D989A4CF6D79F74916849D06F1118B77303B70
                                                                              SHA-512:7F1715A1CAC7CFD1AC321F70DB92E1255DE06E6B98BD8D05F84219C729714DFAFA2C15B12CA55F5A3F7AE93FD53B74927D29F4627F27BCA7E65BC3D925A61912
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):203552
                                                                              Entropy (8bit):6.1365331355493
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85C8aKavT/DvbEvK9aobNI2B+Nl4jz+b0atWH1TmFtotpcat8iKdlVST31OK8I:k98aK2h9H/B+rEtiPC
                                                                              MD5:3F7B572F1D8E16AEB92DD112EA5DDCBD
                                                                              SHA1:FE399BE4D0126B73A2F1793B205D75F52923913F
                                                                              SHA-256:617E36E5B66F2D8C2CB7534E883744EF115F2F1EC8B8210FAD308E21338A78E6
                                                                              SHA-512:B5E7D7601A159DEE555A0E98D0D7D0A1BD2EAB68931C8520AC8965B2C05FFFB66D0320EA79713645A4991017A1D753E68F01267311B1C35AD86BE9731D3102E6
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 97%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):149792
                                                                              Entropy (8bit):6.511104209826025
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CV4vzT+PjZpsB+2h+EOXkMxJ7Rfp8K172YPrp:k9npsB+09zMH7cCxPd
                                                                              MD5:931BA0AB474211B6F6F46DF9D2685396
                                                                              SHA1:46B754C10E0CE63693C1E0C243A180E980CCE688
                                                                              SHA-256:37AC3DD2183C224D3E32A772FBA419CB1B63E591C5DF6FA69A15989DA9B2C582
                                                                              SHA-512:2E9913BEAECC96FC9BB5BA270B819B7D3FDA82BE9AFF739C294D74A3C0ED7D706A7584D872221B864C3297CAB8C9300FE4DED15A40DA0F687D8E1DB1D60A18FA
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):227104
                                                                              Entropy (8bit):6.237873657819261
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9AWt9h8QlLISZWVRohcq7dvni3F8QrBA/:Hy9hdFIdRoGUxi35rBU
                                                                              MD5:19AFE8347886BC20E0AE3FF3168E4A33
                                                                              SHA1:C75BF52D95EFB4C1A07F0D55D7A25B765B366087
                                                                              SHA-256:58D82570BEE9757A3615789DF93384BC28C77D4F0E60796C0A845265FDB0BADA
                                                                              SHA-512:6FE092C3AEB098BC26AF41E64EAD35381C7E49BEECB1847A1DF7DBDBE2449E0826D888B49F099E28C3A752013BA9E7D0DDF256A8B3A57F3A60248A467CB2DACF
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):264480
                                                                              Entropy (8bit):6.6429855049099995
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9YwCtJmRqyFmB6AOKmiMGwIAfx+iQ+FfFyLgG1da6edo:1w6JmRI6Bitwpx+iQafFykG1da6edo
                                                                              MD5:9E4A1877CD2731B9DFCE6E0FCD7B5037
                                                                              SHA1:45E966F9EF775DD94339782C3374597AA7BC17D0
                                                                              SHA-256:224C2EE088EB5EA5D06DA228AB575A704FCF2328B3EB60613983236B13B5CD70
                                                                              SHA-512:7A7A6185F7590B1C5BEB2D16DA1FF14BFF15E6EE5BF185562B1588E32F112765BAF20D84892C85299DCD2C1F7127950D78EB3D10EDE6C45727D1D737F022F8BF
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):149792
                                                                              Entropy (8bit):6.511488043303241
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CZ4qR8vSZksB+2hdqecER5AhC48S1m2YPrZ:k9HksB+0YlEXAe6QPt
                                                                              MD5:1F18312D69028EEB0E96580CBD36232A
                                                                              SHA1:E90EB0E84B9D3693EEECAC1979E736802D7AA181
                                                                              SHA-256:DD6FC425C8F737BA5054624F638AB7B4ECCCFE3A6A14C1DDF11FDE34B928557F
                                                                              SHA-512:487A3C9E58C51210EAC60866105E1E3A6C1F1B9BE39BB958EFDC635D2D7BB7F382E7AC3500CF40B2B83DA16986B1B8982E79E51C452901AB9848AE80666A1B26
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1631792
                                                                              Entropy (8bit):7.975199435773668
                                                                              Encrypted:false
                                                                              SSDEEP:24576:HR1kyOX3l3PScicR9iK5vS8dU+0BeId7JfroHKExAuRBAHToF4rMTgZYhA5QR5sN:/kVX3lfrFfR0BecCqKBs+4o8YhAKi
                                                                              MD5:3DF71037F5D9E13497D95C8DA1CDDDC3
                                                                              SHA1:32BF295FDEDCE06CB789BC243900AD405BCD2FA3
                                                                              SHA-256:D5CBCA7E0315EC041C267A8B97DF0BE9AFA6618E2440E5FC673F473E89CB5A08
                                                                              SHA-512:BFE93175001FFAF6B7F07B2B19D10AD7A701642D6316A19457F5C23C8E97ABB9518E17C058E8115377E0D39EF24C4641C0A3561C291A9D8455F11E6FF2907C3D
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Google\Update\Install\{EB80938B-EC00-4683-A2CC-456206E3A4E1}\117.0.5938.134_117.0.5938.132_chrome_updater.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1631792
                                                                              Entropy (8bit):7.975199435773668
                                                                              Encrypted:false
                                                                              SSDEEP:24576:HR1kyOX3l3PScicR9iK5vS8dU+0BeId7JfroHKExAuRBAHToF4rMTgZYhA5QR5sN:/kVX3lfrFfR0BecCqKBs+4o8YhAKi
                                                                              MD5:3DF71037F5D9E13497D95C8DA1CDDDC3
                                                                              SHA1:32BF295FDEDCE06CB789BC243900AD405BCD2FA3
                                                                              SHA-256:D5CBCA7E0315EC041C267A8B97DF0BE9AFA6618E2440E5FC673F473E89CB5A08
                                                                              SHA-512:BFE93175001FFAF6B7F07B2B19D10AD7A701642D6316A19457F5C23C8E97ABB9518E17C058E8115377E0D39EF24C4641C0A3561C291A9D8455F11E6FF2907C3D
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):299136
                                                                              Entropy (8bit):6.791456127636419
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9/0LYbH0QQchx73BeFStIhEWDoZvynCMj+TwW:G0EbH0j4x7R6SvyCMqn
                                                                              MD5:7663DA5345AED4E2CE3AE00F1569BAD3
                                                                              SHA1:10BF6A77F04B10292030C2456066EB519A4F50A0
                                                                              SHA-256:14093EE670E445270AD20D7451E89F37B7E8335C5EC73460A0154232852BA3C6
                                                                              SHA-512:1F8E1BEFA7E2462CA5C0DEB8756DF7B8FFD71D82F09FA0B93EF9CA2D32CACB21688713F5AFA8053B9F83463E9253D428818AA9334202ACB147A608827E4027F1
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):135808
                                                                              Entropy (8bit):6.396186166703023
                                                                              Encrypted:false
                                                                              SSDEEP:1536:JxqjQ+P04wsmJC/rmKmGyeVK7qjh3rmKPNbS7cZPxyqPEoCW/ids8nBs+s8nBs8m:sr85C/q4yutjZqMNbSgxbFrj8m
                                                                              MD5:2DE190CF047A78DBCAB6E2216701D2BC
                                                                              SHA1:9B490C017D00BD20562225FC684D426F44EE3C76
                                                                              SHA-256:266452E14A03BE6D5B3CB049E5BBEA4C4787B4C18289FBAA212DFD8B1227B3C1
                                                                              SHA-512:E1D62E8CFC1F441ED08ABDE8CD996EDE7636E48E67E0B1787A9CD0865C8885C1D56E736803BB20773EFD98768ADDCDB79C1489912F5D01E5BFAB231394D552FB
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):299136
                                                                              Entropy (8bit):6.793867878392893
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9/lXCs7zYA9xiNFiVg7s/uDoeBvhI7W6w9:GlXCs/YAh/elvhI7Wd
                                                                              MD5:BB0E7591812BC27C3D6D3DA565AF925B
                                                                              SHA1:BCF62126B5381B32D7C614EFDFA30CF7F385463D
                                                                              SHA-256:F251861114A4932B3AE9FDC95524EED50D2BD6DBE1E498C48FAE4BD095D4BD7F
                                                                              SHA-512:EA133EB067DC32BE2EE47D1BC50CE77FA87DA2379CA5991EDB837EAED7BCE9BDAAA179A7997220E0D8520926F846D998948B92607DA330128D74B1E000E8E1A5
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):437888
                                                                              Entropy (8bit):6.42684511221715
                                                                              Encrypted:false
                                                                              SSDEEP:12288:GGNKdHVnfiMB7yIL+5IyoiYv5jPaeTmJWIvDxT9ULX8PCM:9KiBLZ05jNTmJWExixM
                                                                              MD5:2607BC5BE23EF6AFA96E1B243164745B
                                                                              SHA1:50B602076CB054022A35790FDCF0512CA1D9B68D
                                                                              SHA-256:EE438CBF24A8CC6303A4930BD3D84EA306C350A92384F3705364058BECAB050A
                                                                              SHA-512:59C7C4CF7B43726B774A4BE770B5B02573EDBE035C3DEAC909EC3230A1A05A2E2D6814F08F9D81F9E86433748082D1A04B914C7444585D90D511C348C8367D33
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):163456
                                                                              Entropy (8bit):6.282119597857022
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CQ446dewltB2mNd/HOrveW1dexk834fRZ5Nyc:k9Q446d7T/H4X
                                                                              MD5:6CAFDAA62D8747DE46D3034200B28419
                                                                              SHA1:939138E4EE0DE785F062DBDF928465EEB2653510
                                                                              SHA-256:F8C97B577C19232F795F72E2C81D343E7E4CC1A219350419A7FBE781C1FD82B4
                                                                              SHA-512:8A390C6A4FB272AC4ADC80018E548AD656504901D580BD6FCDBF9DC6181435FD36AD46B396421F8957E38CE6D981324DA93BA5217FFCF78AD1AE7F2C8BC868E4
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):127104
                                                                              Entropy (8bit):6.0679650494656965
                                                                              Encrypted:false
                                                                              SSDEEP:1536:JxqjQ+P04wsmJC3s8nBs5s8nBskEsz2zy77hPxIAbBsnzA3QDkrDW8Kq5ns8nBsb:sr85CaUkEsqzy7pxI8BszFJqkb
                                                                              MD5:80063F8042BCD9F08243437E883EE0B7
                                                                              SHA1:B28DFAAF22CD52264358AFCEFC9272B65DA021BB
                                                                              SHA-256:77D52E65380CDF4E98EBBF36F578A5A1406F4BF9D53C434FFDE323AD833158C5
                                                                              SHA-512:BD4FC5327D74C0D9FC1A75DC9781AE5F3C147A83E4A22FD7FDBAC370E1210C781A51018D798BC5F39C9A9804E43F56649E548C562D59BB4371ED473113B952F0
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):223360
                                                                              Entropy (8bit):6.089485930964728
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CIySSyyXC2BZC5vHa2L8jv+UII6qS2AroAxYN35gwxcPXtxdTsVcCXFzlZBD:k9oSyMZOy406qS2AroAxnw6f9JCXN1
                                                                              MD5:8AC992B3CEE15917902FCF4E1BB88AD1
                                                                              SHA1:278D893D5B43C8210F04986205F42D7B842B49CA
                                                                              SHA-256:2A5F8A9115B28D6E242EC13E0C9B577FC55A4B23AB7605CC6F4BCB7645A7A905
                                                                              SHA-512:4ED4B2E050D864F66BEFAA8D587972B5219064D5EE989F36FDB410865D30467EF60D6A1B14D53FF6F6E408644059E473134E74BD8B4AE841D1D74F2642649381
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):203264
                                                                              Entropy (8bit):6.630784933207718
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85Ckwl0hzyfN7T34oshWGrAUdaz2w9Lf0M/RHym:k9ZiFIf34hcUsz225/
                                                                              MD5:FD99F4BAC9DE9CEA9AEBE10339376F46
                                                                              SHA1:657C4D31907420906F6B76E7202DBC8D1ED642C7
                                                                              SHA-256:D40F5C5B2B8267AC486BF5E68ED065502630CD8D5C38C84773A3CD8341DE3479
                                                                              SHA-512:360A69F494DD27CAB49FC0FBC0A3507593D97D65D41C7D9E7489A89385D1E6ED42F9E4109A3585425F19AC6DD3A19A281CFCB4CCBCB9BBDFD4C914404487A9B5
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):209912
                                                                              Entropy (8bit):6.339745236465328
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85C6fSoD7sDZ7/E2jijQvZ2ha5ZxXHyz7weLSMqpmmtj:k96fSoD7q/fji2SUKz7VHwmmtj
                                                                              MD5:57C91EFB667D78BE5744B415C921B0D5
                                                                              SHA1:875B5401BB112BE99BD150C7F74E5193A2189885
                                                                              SHA-256:2ADC50C04426A03D30F96FD5E11F16167DCE5AE4E3202FF5F6A21649DF965401
                                                                              SHA-512:A4958FDA3A3C70A61585A7D0D6DBA9BAFACA06FCB3D242924DA41D3CB57A604B8351DA663BCBACDAF57EB833265C511B77148B9FA12B60468540EB7E0B3EE897
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):209912
                                                                              Entropy (8bit):6.339745236465328
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85C6fSoD7sDZ7/E2jijQvZ2ha5ZxXHyz7weLSMqpmmtj:k96fSoD7q/fji2SUKz7VHwmmtj
                                                                              MD5:57C91EFB667D78BE5744B415C921B0D5
                                                                              SHA1:875B5401BB112BE99BD150C7F74E5193A2189885
                                                                              SHA-256:2ADC50C04426A03D30F96FD5E11F16167DCE5AE4E3202FF5F6A21649DF965401
                                                                              SHA-512:A4958FDA3A3C70A61585A7D0D6DBA9BAFACA06FCB3D242924DA41D3CB57A604B8351DA663BCBACDAF57EB833265C511B77148B9FA12B60468540EB7E0B3EE897
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):264144
                                                                              Entropy (8bit):5.863490790187712
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CQPEGT3EB2e1aWGNU6ITL85x0HRerzJ0YF6OYLy0PPDq29BA+7891:k9QPEC0QjWGNU6ITL1H0zvjkBA+7891
                                                                              MD5:1FD92ADE57DEF19C2D5BF4A14AF53373
                                                                              SHA1:88335A048A05FCE5F5F23411D07AAA53DE05FEBE
                                                                              SHA-256:7BF6EB7F7150A749DE8581C55BA2E0EB2317B17AA39E39466C22F8E537892070
                                                                              SHA-512:1035D82569254BE103EC1A2BAE83F02072A17D7C67DC2BB62F1AADEBD06E3A85FE3B352CED35EC166DB4DA7A06489AB839312CACA2806C544B0D064FD1A8BC6F
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):430680
                                                                              Entropy (8bit):6.627953214122613
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9Bmmt0fSoD7ZAOhPiURg/4KAaxZTTlvIfaUcuI4hWxBP9SGO0zyqEL:Dmt0LDdOUO42ZdocuI4kxBgGONqEL
                                                                              MD5:387E91F4FB98718AE0D80D3FEEC3CBFE
                                                                              SHA1:2A4DEB9782DDE1E319ACB824F32A19F60CCB71AB
                                                                              SHA-256:2AF36D2872119856CBA456CD9BB23623CB05E8957D74EEADBCD5DED57E17F5E5
                                                                              SHA-512:1C6029F902DB9F190985B64AE4BA18CB3E770A2DED56511A32C15EBA86198E26B1C8F3BEB399249AAAA9854C72EBF2C50446182F616345004F2FAAD062FDF8BB
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4473576
                                                                              Entropy (8bit):6.569965325360163
                                                                              Encrypted:false
                                                                              SSDEEP:98304:pkkCqyDEY7+o3OBvfGVY+40yajyS+9s/pLOq:pkkCqaE68eV+0y8E6L1
                                                                              MD5:809D03153D2FCC1C9E1EE574DDF7CD2E
                                                                              SHA1:CF1FC95A34AFC5A2FB39504D973BC8380A04BAC1
                                                                              SHA-256:C2A715F1396DCDAA9360FB09B89992EE8619362062DFBD6C90CFF751C5272032
                                                                              SHA-512:094FE1BC30027336DFE6A32520DB39D8D27AD1A69716E7E00D6B66D44CFB4EAADBD8D48B6D80BC0D00C60EF0E3483437C82D2185BD704137CB544B11063820DA
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4316096
                                                                              Entropy (8bit):3.9258169272505024
                                                                              Encrypted:false
                                                                              SSDEEP:98304:nPNLniBaEJhRELqS/rhwov59SRZ5Vb9sybbsK+0rnsQ:PNLniBPJhRELqS/rhb59SRZ5Vb9sybb9
                                                                              MD5:D303F362090140A192699993B9B481CC
                                                                              SHA1:EA2783C188FBB317661F1FC3A0CB4492BB8EC80B
                                                                              SHA-256:DA0ACD313E47ED22E9D7EB3E3E540853B8EA43172CA0CDCAC4E0447868B2B16D
                                                                              SHA-512:12932A51ACDB0D184CA0AD6B7B1B9B72C8EF698B19B5747BD45DB6EAEB792B942089D62F5AB43106BA840E50D562092FF0056D3A2BAA97E353B2AA64C433242D
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):94600
                                                                              Entropy (8bit):6.442216424962596
                                                                              Encrypted:false
                                                                              SSDEEP:1536:JxqjQ+P04wsmJCgELjOzHKd1XI/etzCJQx0cxnIO/IOmOe:sr85CgE/OTKXI/etG8ICILJ
                                                                              MD5:3F61817FF96973951F7964C30D7B3E0C
                                                                              SHA1:206328C89E5552AAFF1C232D4285EF70BB305CED
                                                                              SHA-256:0F2597EFBF9783DB37DE336D0F7C2F2906E09173873EA105C79EAE1B56E8F95D
                                                                              SHA-512:C2394D49EF23ABCC1C96DDF60111D2272920698D962F769B3CBB7D77493438201E5B1FB7B196ECE9B709A7DC2E03B26FBCB74699CDE4B1B6AA56C869F287A47B
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):101496
                                                                              Entropy (8bit):6.2502810194516245
                                                                              Encrypted:false
                                                                              SSDEEP:1536:JxqjQ+P04wsmJC2vpz3ktxGvpzvy5ZWGalHFmMTK0KRTS8bOzc:sr85CwToATzvmN0KRm8bOzc
                                                                              MD5:FA4CEDA48FE9CEA7B37D06498BFCAD93
                                                                              SHA1:C85C170D39C0BEEA2203B0BEA30C19AABD4E960D
                                                                              SHA-256:BFD637624C2C9B5ACDC470E589795C7720710782B618830E70D4C08F2498D64F
                                                                              SHA-512:B95C63A1DDA19FFD988DA77C38E04BAF600C61C32FD231981B6577B351A5D8DACAD0A6923ECBB05692BE06BCCFC365A7AC3AEFC957E25D56C7A5B81CBEA4E208
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):455760
                                                                              Entropy (8bit):5.934487072040942
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9fwACThwS0vn9IdRsLGEJTdPA6lDfZNAGVx:KwACThwSSn2dRANtlF3j
                                                                              MD5:EE7FE56AA5473C4CAAF6542F9C89E3B5
                                                                              SHA1:F94831FB534FA38C6142CE1A73883A5F181D47CE
                                                                              SHA-256:AA77B4D2A82911CFCC76EEB2184FD513F8E8DABB39B90019E7F051172CA128E2
                                                                              SHA-512:EE7A769F162F3E4A55A8653F51D601DBEA53533EDBE6F52A96077234E6367FA835EDC9F2DF76F56715EFAEA618D4A77C64F7875725BEF5AC9F5D0E1F799DFC37
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):225704
                                                                              Entropy (8bit):6.251097918893843
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CHLqB8edYkIrv6TXRw9xwqazULDjkAJZo0RAjUIqXfkRC:k9rjilq8OPwRzso6AQ5yC
                                                                              MD5:D2E8B30C6DEBFCF6CF8EA10E95D2B52B
                                                                              SHA1:E907D9A5B3AC316E5DCB4143A8B9466A548CD247
                                                                              SHA-256:2EB9FDCC1BCD91C9734390A0F9543B6DEA8A934F71D14D304D0DFEBD9ABE1608
                                                                              SHA-512:811C739AEED909E5F977E3C69FBBB6DD57FD9A0C5D644129C41D298279C369F9CF8482230DCF7762AC6B38958CC78255B1B2A9261ED0C897E9CF85244F056A67
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):84928
                                                                              Entropy (8bit):6.496286535630211
                                                                              Encrypted:false
                                                                              SSDEEP:1536:JxqjQ+P04wsmJC367wZClMML07MiapFmPRHyzMwzobtM+zf:sr85C367wZClMMQ7MiawHyzMwsL
                                                                              MD5:577ECDB909EA638F824698FC9662A65A
                                                                              SHA1:EF5B3EF16FD6E4FCE04774B001C229B091B64242
                                                                              SHA-256:917362177EC459D22BC88ABB9EA65E385B50A664A9D314AEBDE4AEE3D4ADDD69
                                                                              SHA-512:2D30E0328E250B90731269650174145A7E0993B76D43A90BAF93E05DDE59B7930199755648C90BE80BB11AD7ECE5555C1F54991E1146A62D1985958E6533A854
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):83816
                                                                              Entropy (8bit):6.5486905453129385
                                                                              Encrypted:false
                                                                              SSDEEP:1536:JxqjQ+P04wsmJC00s7wZClMML072apFmPcnGzLHyxz5pOEtmwxz5E:sr85C0t7wZClMMQ72ahnGzextQyxtE
                                                                              MD5:0A60BCB1B4624AEFC401299CF4AC158E
                                                                              SHA1:B213E9E2C230E850B70EEE7670A9961DE0DD3B92
                                                                              SHA-256:377C6042F55C5245E950DF6C58C8E541F34C68B32BB0EACB04EBDBD4D4890ADB
                                                                              SHA-512:B6F2C7F1CF562988BC0B4F45D3E36062C08A640F0CC99A3CE05DA121CB107716193FBE3B9B6012B77712FC8832D3EE19B9889018815F414C1FF0DB1EE5EFA898
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):233832
                                                                              Entropy (8bit):6.444055281477179
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CUW32GhNvMQ/58sl2U2Gszlz4SNBZCgMWku:k9t2GhN0lsdspzPgg1
                                                                              MD5:C541C4556C5B21907107E916D65C5212
                                                                              SHA1:E70DE78F3C4FD8A9364FD54A8283523572F07F60
                                                                              SHA-256:99669ABB3F0C6A61BD44D379FFBC5712D2AB44E63D1071E1B699E46DAF279358
                                                                              SHA-512:73761E8DBB28A0A83BA33236CC43609CB11B64716A3CC0EE1394D1C05ED9BD71791566666EBE8B159D13FE3A1B90FB473B865AADAFA69DD3E4513824F1959793
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):502632
                                                                              Entropy (8bit):6.71908645689974
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k90WDxGH79J2VX5gEpvm7JA8I6BHAlSpFG/+Ls3ze30xB7zq2zs:kMxCvm7JK6JAB/6N30xpI
                                                                              MD5:266F86A29B1E6B8B760527C50DA9D660
                                                                              SHA1:2C054027DC591063B47873D42D973B38B3BDE3F2
                                                                              SHA-256:F30F2704E1BD0F7B173E9DE79D3BA9FA3CB1B494C8BF20FB4768B5D5EE6317CA
                                                                              SHA-512:1672AEA98C6142E995BD018CCC8FC7836A05E6A5062C7B615D7C5D04E3E80EC4AC37DAF999296C2F095C4FD2A8FB38766DE09BACDB574266DF0257E697522D78
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):352704
                                                                              Entropy (8bit):6.38536686774314
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9+EshacHeGXduZtZ9zHVcI3uv7FgR3FTzWQ/ZZyp1:ysHHrtuZtPvh3FuQ/jyp1
                                                                              MD5:51D8F20B8D5103A7A909B107B6A3B7E4
                                                                              SHA1:FB4B5534EB81A82E70652870FC68DCB8EF8C9A6E
                                                                              SHA-256:BBC6913BAC290E98B15A7F65E9CDAC0607BCE18A32CD3DCD1D7EAD307F0B51E5
                                                                              SHA-512:77A398F43351031F2B6EAACE03F787E49DE72A1C937A24A2847BACFBA8A1FE76B2B031524530E5E5B2648B6B0FA87B53104A92B1A216963F2D233E0D74D03D16
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4395184
                                                                              Entropy (8bit):5.937082520516123
                                                                              Encrypted:false
                                                                              SSDEEP:98304:mXuo5RMru45b5dZlAj0sqW7YDKMzVwgBWMTwLe7G:oR345NRAgsr7QH6h93
                                                                              MD5:F57075B760A0D881010E15505F0C483C
                                                                              SHA1:0ABC231159F339F651595E385EC7B466E259470C
                                                                              SHA-256:3D0EEB0CB3BFBCCB167AE0D1AD90B8EFE17C9B88D491AD5D14A0EFAB223D6E21
                                                                              SHA-512:64D97EF9B435579D883DD5C08967737D868C6A6B6347E37E248C5DDFB47FA726B712DCABC179EA62E0A936692355766FC06BB4C1DA3087B81092942940068161
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):603928
                                                                              Entropy (8bit):6.530305704021743
                                                                              Encrypted:false
                                                                              SSDEEP:12288:bzKRgqBDxoiPCLXHLuk/Wg4Reh2mbeF+IGboJdx:/KgMxoiPoXruPi/++IvJdx
                                                                              MD5:8F1CAC64758ABE414CC4B882EE8519B8
                                                                              SHA1:7018BE9C3FCF4FB4F8138869F9CD40AAB0C9B1A4
                                                                              SHA-256:110E1BBB7A4F7A42D2099D8A76F068DDE01D63C28D841AAF06D3EA872F261716
                                                                              SHA-512:19F81CA57D67C8D8B784817E88C10E7768906F019950914B391DF69C2C537380296D1D4B92F7070ED25582E9EB7C015E797D3131D77A70CCFF690CDD39CFE4EC
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):507024
                                                                              Entropy (8bit):6.145143458075982
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k95yrmBq0RYSv3A5DhW15yChMFt2XTNJWLgCWzzYhPRt+:NrmBjYuALWJMn2XTmL7hPH+
                                                                              MD5:F6C667D2590E5294F3272D9576BC3051
                                                                              SHA1:13D893A1521C8BA8D1FCBE11EE0FD16F2E0194F9
                                                                              SHA-256:03966A5548958182569400B6098219CDDB1EC6C5BCCFB5391A36F66E9F517FC6
                                                                              SHA-512:E2FE50A7EE86D8B05CCE91C9F0CA07A24C41631A317F38AB380C996475BD8B9CB05BD7B9D49968AE87442399EE7312C69169447B3D527B539F0C8C1920D986CD
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):251560
                                                                              Entropy (8bit):6.621260401843092
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9BomAAOwPcPIqk4Vsvt0uews+qZP9zOPBxGiryKI:4sAETlVsKzZPixGBKI
                                                                              MD5:3DF5147DBAC00F92DDEE6D22533EB194
                                                                              SHA1:F7ABB04F99361465F9FA9193E1ED06B49381C688
                                                                              SHA-256:A5BD7911E7F7FC76E27F5BFBF2B4AAAAD9FFE0FD304B65D87783409629EE8B25
                                                                              SHA-512:84ADC24DBDCBE9EB9A5BD77BBC0F1BC1E59E4C32496F4A435D85ADD042F7FEFFB0FD21D459D62F0BCFF7655CB3262F7BAA491F6947B5F4ADCC650A5B10FCE3E8
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):751720
                                                                              Entropy (8bit):6.631735781680161
                                                                              Encrypted:false
                                                                              SSDEEP:12288:DdI8PdgELg6eaBlnjlZcTerWv+xdeFhvCs9TukINOW:Da8PWELTBlZ+erw+xdeFUsUkEh
                                                                              MD5:8A6DCA4D7B31FB7626B5FB7430241040
                                                                              SHA1:258B527B5F6B30411C8727107B29AB9300163817
                                                                              SHA-256:6DFF05FB541A8D3B7847AB3197422E582AA021963A9C4BF63C44100180CF22F5
                                                                              SHA-512:2A9714FE31814C0ABE13F59ED77A8EACD0CAF2BF9566FE9B9B0240A942EE5BF5425A5E523F2C51DDBE8BA977675753074901C211A42D899F7AF9F47890280693
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):161968
                                                                              Entropy (8bit):6.528134300921485
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85C9NDS5lS1jITI1FeBT77NDS5lS3j+Wzy6oUSA7hZ:k99NDS5lSxFeBTfNDS5lS7zUrsZ
                                                                              MD5:9A962710D6C3F23726E18BFDCF7D5BEE
                                                                              SHA1:01AE9DB82D4B7E365E30B4A2A930B74FB8C0C5DC
                                                                              SHA-256:17D163C4C9AA325EA07FB5E5EFCFC3A308D30D71C7A19BF663350F978EB6418C
                                                                              SHA-512:0D51336AF8246C7B6EC30F506206198A7873106E07995A69A51D059FA5F83BC0BE6E6744A0D0306DBAA811DF623239FB472880E7C87AE83CC9BFCE70E7C2960B
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):159560
                                                                              Entropy (8bit):6.577583568198119
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CIklWPsom9TiWWWWWWWQM+FtWAzhIwaeENinkf8xw3xUFv2tGPrtPmF:k9ab5zPaNQnBxw34Oita
                                                                              MD5:04CD44B46689C390B61090CC9AF0DFC5
                                                                              SHA1:DC21D958A5D799B45AC721528216E981AD9FE73E
                                                                              SHA-256:19E2D4135729DEEB6086A7B6E50CC9CC238DC19F199BE40CFF80A7280A9D7A8C
                                                                              SHA-512:7D91066D2D02853B9C71C1D691D1315E0CBDC1111AEA83A4A45CB40AAB26A53311386579BA93AF557C9074D4D69E0D265B13C41A384C23BC254911591C0C8B5E
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):2233240
                                                                              Entropy (8bit):6.2971498741833525
                                                                              Encrypted:false
                                                                              SSDEEP:24576:LDZgOA74U4o//sbtwvZTqFDk9sg71SmY90gh/G7QJoma+9duNGeVG29H:vqHVhTr5UmY90sGE5dIDG29H
                                                                              MD5:B30942151231700F5D6432BA1B1A0C0E
                                                                              SHA1:670E354D40154284F518603B702DC0B7EE94DF82
                                                                              SHA-256:F8677E5F13CEF8B175C10B333927AFF942E46A9F0C73BE91E9BA8A424B878ABD
                                                                              SHA-512:8652C36DF9B5A8B245E3F0A4AECEC55E46B55D18020A11AA0BFC0BFDB532870AE06CECFDBC15000B287E171177570A4EFEE44E2F2EF9B228221C93074A65DB37
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):214432
                                                                              Entropy (8bit):5.994507792871334
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CIVFptXofXXXXXXuh9gLzltw6Q1hqOJHrtTh:k9YtXofXXXXXXASLzb9uhqK
                                                                              MD5:74D1B233AC72ECF698C6A7C899B119BE
                                                                              SHA1:EEF35AD9326A5A3E3E9F517DAF69D57D0B700DD3
                                                                              SHA-256:A74DA825D78F461489E405F90CCCE848699A5548DA0D921864486DC95F18BAF6
                                                                              SHA-512:FA9D2E78E79A108AEFCFAE48D040EAF500B72B77C3F62404565D257642FC848405FEC7364A8F1F98EEF00B5725C25A77B5C4B37B3CB60A0DC3909A2FE3C5D6C0
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):620840
                                                                              Entropy (8bit):6.585082275251885
                                                                              Encrypted:false
                                                                              SSDEEP:12288:ioBdI/BUQtsfBCegl2eccL1q/xRyye7BfcwqEhDe:ioM/BB0Bml2m1q/xRPCcwFC
                                                                              MD5:91F300014FBA9310BBDBE0CFDEC9A819
                                                                              SHA1:8091C24B7EFF0215CAF7424ED956322E0E9B4476
                                                                              SHA-256:450D510099056DD9E931D0094D6963A07544E91B3D84A29CA05223C35273A22E
                                                                              SHA-512:B39BD37C0DD05D81647E4C42F0E43CEC41DA0291DAC6F7E10670FD524635086B153025F4E4450ED1D51DF6F9C238DC7BAB3DDCDBE68822AEEF9B79827EE1F0F6
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1568248
                                                                              Entropy (8bit):5.675955532170124
                                                                              Encrypted:false
                                                                              SSDEEP:12288:+wF+k53zCG2tIuQ6DtJQSZDhLOhkZzV5i9w/lmd+jrcUiACW:bFXG6uQ6D9L2uV50AlmsjYUiAB
                                                                              MD5:59BBEC68CF2ABBE0AA71761A90902F8E
                                                                              SHA1:CA4DE80AC4640A32C495FCE0237F46D45565745C
                                                                              SHA-256:2289860922074D80B8F52D6014A3002061616342E0CA952A6A6608E83434F8C4
                                                                              SHA-512:4CED0681CC7B5F9F40E4F7496F692A55C71C0DB1E2DBC93C08D8415DF9914F01FA8E45AA9FD276305DF824B7C3742E39BAE005CBB4A851B9E264E5129216B43E
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):634800
                                                                              Entropy (8bit):6.709073721775351
                                                                              Encrypted:false
                                                                              SSDEEP:12288:jf/4sOdw+RfEB6tuAlnWhGZco6ijmn5jFTSt7yCPUkazi7JThVoSZeR6aQTJ:7/4Vdw+Ra6V6g2kazidN6SoEVF
                                                                              MD5:93B1C57F0B5C441FF47190254B01C47D
                                                                              SHA1:8DDFB09946D30CFC78B8D9C4DA9AB19FD0EAE045
                                                                              SHA-256:846FDD3E11DAE5A991888539674DFB6649A1960E724CF72E2D8E37A23C357609
                                                                              SHA-512:5B15EBBCBD69C6BE2CCA96D6C0635FFADD5312BB8EE7FFC6A655D191F5EE25EEEA20EA95D92EF45B47D5AC54BB3216C74D0D4DAC3DB1C5A18B0230F285D5B588
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):748192
                                                                              Entropy (8bit):6.713281323235293
                                                                              Encrypted:false
                                                                              SSDEEP:12288:KKxLM1deLycUTc1kZi7zb1QRHhhj7WGvF5PYcdTFtZ3G97aSDGGHrbTwqFwydBf6:KyY14evTc1kZi7zb1KHL8vbTlwOBC
                                                                              MD5:D995BB9A7D45C056184104F03848D134
                                                                              SHA1:794094754972689F4ADF9F876F60440FA74FBD2B
                                                                              SHA-256:CD263241B90D11DB8E0A0EE42D47AB1F7517675F53C2B8D92C61471746BE2276
                                                                              SHA-512:89C4B7AF03DF6B2FE3BBF56D476497E9102B0ADD24552A78D164DDAEE453AA1760D12EB4ABA0501A58BD5F00B00DA36CA0BEDD542B271DC08ECFFF9395495643
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1917048
                                                                              Entropy (8bit):3.840447707777205
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9GBeXsm81c57ZXFzY5Ucyw4TapP25xxlq4cUcMeTOMzwMwZ:DKs78A5UcyOPexxPcUcMeyvZ
                                                                              MD5:87330F5547731E2D56AD623ECDA91B68
                                                                              SHA1:273DC318E8812B3BC6457B0EBEE15F9A7F1D0C5E
                                                                              SHA-256:268E93C44BE7EFF8D80A2B57427FCA2C98E9B08B3E865FFD3C943497AF6408FB
                                                                              SHA-512:DF4DBF95080AA5378E2E0BC5BAD584C6C63ED6464BB855F84AB315B00B9CE08948BE4C69D7442C2BB96969E69596964510D2FECE737CAE39833628183550D19E
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4099520
                                                                              Entropy (8bit):3.72186927452059
                                                                              Encrypted:false
                                                                              SSDEEP:12288:zyKs7cvZIFpCYVIUN2mGsb8HtkLaHLH04cLbUBRjLmP29DyZbT9oc/m06aCzE6hE:zyKsY+dy0ZScIBqBT11S0
                                                                              MD5:25E8600B1421194802B2569899E75383
                                                                              SHA1:01EFD3FABD4EDF0733F46D91FB9109523E943C15
                                                                              SHA-256:50280C7E926F959E876BA1BB0611F6C0BAB04EDCEB300D936A887FD3CC9EDE1B
                                                                              SHA-512:DD49E97D675CADA18BA0EC91B4B0A6DF16A86D17344099E3265D3FAA8C576106DADE231C2829FC1D758EECC24343C6AF345CABEF16E91B3854BDA3824AD61541
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):452120
                                                                              Entropy (8bit):6.067280009012926
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9xvhCpFviM0OKAOVf3m+2fCz29fx8/eAeTu:GEpFVKj3mFn9q
                                                                              MD5:7EDAA2971D821AB859302C57099296BF
                                                                              SHA1:3D7F419C517B8C3F3B881E7B248D2C4F7723664D
                                                                              SHA-256:CDB80830E3601071C86E0725AE58C9EDCE109BA793910F8C994526EC4E98F275
                                                                              SHA-512:4EB61A55475E6E87542748AE5C4CCC5B07C4840BF95A84342F09FE21C193B3C4040C27237EEFA4EA469180D24D44B591B1F2833441E456F4E2671A45B9D24121
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):116664
                                                                              Entropy (8bit):6.595026282405323
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85C/uGaz7jFQ68ICP5q0WISDr34W+wst:k9/RazrA5q0WISDrZS
                                                                              MD5:42085E45C7B5872D0E034915481A8111
                                                                              SHA1:291E458BAD0A8EE5E491301224197ED1B4E00899
                                                                              SHA-256:E8180D00A2F330E6EF33CEFC29896F0F77FF21C1FF23A637A003D97FA9DB62D4
                                                                              SHA-512:0AFD24F81C375210CC5A379FCFFE82B0A50B709A149AE1FB92E4470BF9F1AAF1500BF128C4F4766071C54AE32E89A15A0FB002D64D715601BD7E010E25E1441D
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):167392
                                                                              Entropy (8bit):6.553431728074077
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85C6WKZbTKeR3Tzp+8IxR8jYYrjHaVLIPSL1CgNX:k96WK11Rp+8II5SLUgp
                                                                              MD5:48284F62E79703C80F768CE0ECE7143D
                                                                              SHA1:70DED4ABEB18FEC56583A1F049F4D39507F983B4
                                                                              SHA-256:1BFDD1474D84B058F2C6F19216FB31DC42DA4E42FEF61923814B304276CC08F7
                                                                              SHA-512:A9DD19BA1321A56C4FE3B9CF83E2AFE51D4C915B4F7078EA90F8C3415F64C9F0C3A52DC614AF785045036710D6D819E270B5887F6B198DCDFF9953B8289EAC72
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):670928
                                                                              Entropy (8bit):6.025784704076014
                                                                              Encrypted:false
                                                                              SSDEEP:12288:ewbRB+ZRhFfGNpzX5PtiPWRnTLtx5eq4/RnYRoS2Ds+2EYR1XLlShtg7ksyST2Rz:ewbT+ZR3fGrzX5PtiPWRnTLtx5eq4/R9
                                                                              MD5:7C0014593C4D645EC8F351AB5F1AB01D
                                                                              SHA1:967B743450942FF50B9E75281B40B215478D85F0
                                                                              SHA-256:638614E2B6B2A4E1EB168BF56825B004EF1F247C6E8F27D103BD1D05F18BB0E6
                                                                              SHA-512:E826164FA068FE3709D1D385CBDA3CA3CA5E6A28A50151CFBB214F3C19783D967F67567E40B390E4905655D8340FCC577A63C97293E0110A1E5F3F6651AEB7FC
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):115920
                                                                              Entropy (8bit):6.223528340566431
                                                                              Encrypted:false
                                                                              SSDEEP:1536:JxqjQ+P04wsmJC5w9K75Rp1Ukkz2zct/rzdaBotnMuvWM6TUaE:sr85C5w9K1Fiz2ir+o5vWM6TUaE
                                                                              MD5:499B11002EBE7BD06FB04458174FF873
                                                                              SHA1:AF90D819CBB316CC4CD9DB1D1E1876129BF6EABD
                                                                              SHA-256:D59CFF7BC9B1DE8E82D900CDC3A6E2969A14E454FECF6FD068B51CDF1FD6125A
                                                                              SHA-512:3392C369F2E777155C76E35D1A9309870C87033FBFF32DBA4CCE3AF8525EC49E397C3655016C34B00BC8A7913E0E73151C2C00A0138C639D15CBDC9A16F0478D
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):137776
                                                                              Entropy (8bit):6.532718929417626
                                                                              Encrypted:false
                                                                              SSDEEP:1536:JxqjQ+P04wsmJCfLS+I1HtQdiHN4zbyezltnzGd1XuDxhkrTJwNZ5wmW1aHbfC:sr85CsMi+zWeXdswvqiHm
                                                                              MD5:0113D4FE73CAEE2B078E5C5B22E0A55A
                                                                              SHA1:DF82348BA214A6969E368DD516BE07AACADC3144
                                                                              SHA-256:1415C64134FA9678BD5CBB27D189C8CC84BEE485E7CD1454FC2180FEABF8864F
                                                                              SHA-512:B0DE44B4E1B6B33C7479C54F02EF6663CF3C2F88CD736423438B46B4E199B5FD51C3E99239BB8B16D6888C613A8CE43D124CB9DAB8ADB561100792452FEDEEF5
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1206680
                                                                              Entropy (8bit):4.883403224196095
                                                                              Encrypted:false
                                                                              SSDEEP:12288:E61ZFViRpx5tuwZl4asd/arEISgX0IkEMhTy:E61jViRTfVINdCr6gX0hEl
                                                                              MD5:C3E399A5C28495C77505132DA8625D40
                                                                              SHA1:7F1BC44F6A53E73B222CA0FEC685D4273BD4DFC9
                                                                              SHA-256:DBA08F8269955771CC3598E1168843F954B0CBCAB7A74BEF8905F56C111F2C55
                                                                              SHA-512:72C810017137B35B956E26BB0730F1E4EFC0CFDE9BDD5266FCB993CE69635CDA50EB9B3223CCFC2C340D336BAD4F78205D60A7625E37A72A2796C0A5537DEA5C
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):400336
                                                                              Entropy (8bit):6.662296849527125
                                                                              Encrypted:false
                                                                              SSDEEP:12288:81rOCPapfd5bhooUBuFiExw/LXa20Dj6EzfJ:ArfIbbhooUBu3wzXa/Dj64
                                                                              MD5:5087CFC731A5F640730910C5104B27FE
                                                                              SHA1:3B723898F092788548173BB2DD0C55A85D1D7C92
                                                                              SHA-256:CACE1F97FC187C817C1FAE597C47782279115799F495462F9BA1EBF1C97001A3
                                                                              SHA-512:A3FBBB913B2D3827B9191C394D2A0EB76FA71A8C870BAF05BB68A04FFAB76BA0F4500D13B5024FF27E39BA671CEEC9B5BA1715D04BD2961ECE04BC4FE6D8E222
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1662344
                                                                              Entropy (8bit):4.282519659984365
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CdK2OKsuWoZEsVK2OKsuWoZEckAQckAIDpAPfKrss1yyKrss1yAZDvYbNDz8:k9DztkAzkAZqrEdrEAZUCwFjNNYEzcL
                                                                              MD5:7A621A47B55EB778A1DC58DA026F13FA
                                                                              SHA1:179FC259659B020F4495DBDB9349A78EEA8D172B
                                                                              SHA-256:9591264BFC2E13FB5BC8277DDB0FA59F3CB6F9941BE54B340689CB2D3028BDE2
                                                                              SHA-512:0964AF4B382A17CE52F817906914D990AD4B2584CCAF7B8887BE7058C4AFE3255741344DE6FC6AD0744717106986E7723F1C9F5CBD7A13A32C552AC70AD25E56
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3531712
                                                                              Entropy (8bit):3.7844153091218713
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k95gSRJQYKV++VYwjatvsDVpDsehRAKzYM:SQYZTWbDj5
                                                                              MD5:9144CA1B12B7793E8F18045B281D81C2
                                                                              SHA1:843A088B9482492885E81B8A5DB7DF5A7A99313F
                                                                              SHA-256:0C4894C91F6FC680FB1A761CF708032C6E792E806F47ABF0C0AD5B674188CB7B
                                                                              SHA-512:A609FC1D8A13D6BC46B80E975DC68930D28447852C5F53DE30A471CC989B6CB5C9CBE35A745518B482B283E32A65D6C1E5F41B02B49790E35F91DF1D8D0B3019
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):83880
                                                                              Entropy (8bit):6.556805464011577
                                                                              Encrypted:false
                                                                              SSDEEP:1536:JxqjQ+P04wsmJCEKfEBr3fHT4nAzHGkYJ+ziw6+zb:sr85CEPh3IAzHGEJn
                                                                              MD5:71B80598872DD0D2851C781764A85A22
                                                                              SHA1:B6CA4DBD84F0F4E26E641FD8039285AF43AEF337
                                                                              SHA-256:8295A24E5CFAB75404E37EA3986F43B62512E269934814EC08A10B36BE6C0B85
                                                                              SHA-512:259C91998EE162BCE784798266D60BB5C97A368E62E42A6791FE2F396399D73496ABEE3699453F4C04CFC968E3421F68981A14CA767BEF2E341FE9E950F97CFE
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4319112
                                                                              Entropy (8bit):3.8167825827469506
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9xUh82lTMY/C3uuQyMyquNlBXYJ7M444IB:kkyIgG47B
                                                                              MD5:A660A24C48B0673B94A8410325C43C5C
                                                                              SHA1:E601D5482D7386BA4731F659A39447D076A4DDB6
                                                                              SHA-256:4E5802F6C0D19AE853A12439906714659D4FC2D2C5D72462D905077794E3F3AC
                                                                              SHA-512:51DDAB96D9703744D4EE204A064767B2783FE2ED82082CF63149FCFCB983BCA444C9A42554F72D67BE026859C1C476FAB700849C5D0D16E204A213F36756A436
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):785448
                                                                              Entropy (8bit):3.9404929226943075
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9dWSXeSC+hBMdNRneNMToeGYeneqjpGtBlmF:iLevUEcLe9l2
                                                                              MD5:03818EEB657D70002E0746E88B0AD5E0
                                                                              SHA1:5B16DC83561232312883A5E49EA8917B1EE45718
                                                                              SHA-256:00D746A158A3868BEB2F20D8F66789675BB981242A10DA5D1679B83F3F7BAC9C
                                                                              SHA-512:CD71721A34385D604352492D7A148F6C3AC144FB6B72D225A4F2ACDD4B309B703ED0036B429AEB31FE63B731773AD6A8FE77BFD620BA9537036BDEB90BF8313C
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1081280
                                                                              Entropy (8bit):3.7785410128751282
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85C4yTUawK12P04ti0o5gmQNJDJnJG20FxPlJPJSS12Zzwww6G:k94s4wqmQN59wtSS2zwmG
                                                                              MD5:35D2A4B29F56EDDF4C5EE9AA5B79CC61
                                                                              SHA1:BC00C9FC4FAE06D0EC90A9F15915345E7025F153
                                                                              SHA-256:BC8A2062F6B156A773EBFA34125DC8673F960DD057C579D2C74181901C6AA644
                                                                              SHA-512:3CE8168A6EDCBD4A4AB4135EE7BBDF2923A62E4ADECFF19E183B2C54E5903318C5CB956AE28A76F04B63C7A3DD3E464C4AE90AF2D08F1FF5F53F525532B927DB
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1722808
                                                                              Entropy (8bit):6.4873312334955235
                                                                              Encrypted:false
                                                                              SSDEEP:49152:Fuoh1EWXRkd+h9y6NsRZ9MtL4kD5G5LVuhqITJemL9SQM3:FuohO2km9PNsRZ9MtL4ktG5LV93
                                                                              MD5:F8441CD2F8B20FD75340EDDA57BDB891
                                                                              SHA1:E194B384448281D8821C7F78FA2083616B7D7339
                                                                              SHA-256:1F73799D4D76692CC95E6083B10990BACBB90BC016AF0D84A3B9DD5C7F03FAE5
                                                                              SHA-512:B1825AD19B960FAECDD8AF9675F29999363A3858A26E6FE610E03FBB4E84D62FC68BBBFCCAF7CE51C161B1DA011298CC4EEC43E57F35D24701AD249CC6678F81
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):307784
                                                                              Entropy (8bit):6.544986970069708
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9Q+OpwoajoJ/cLr6eNI0A2kg79zge/ceeE1+v:zDWhS5g72veeU+v
                                                                              MD5:279AEE74740799844410CC17E9D7DD88
                                                                              SHA1:B2CD4BDD168C44DD877F12020E236681423F667F
                                                                              SHA-256:7FD117BC2E9167ACEB2A2E767F868C300645AE6A81F497B307FB8A5D3CF82DDF
                                                                              SHA-512:0447B166C1F28B9EFB7820349CE7277749B7155E98D7195DBB9509DD0FD0C1793E7A1C9B28C18F8618C1C23F9D7AF46704A313BE9FE4AF01886F9576BBF40EA8
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):97920
                                                                              Entropy (8bit):6.445251735006175
                                                                              Encrypted:false
                                                                              SSDEEP:1536:JxqjQ+P04wsmJCWzKAtCz72I/Q/RPTO5piDDFwzS:sr85CWuFvgy5piDD6zS
                                                                              MD5:BC9B4C47C903C054F90FFAF5AE807D5A
                                                                              SHA1:5E293D1A9AD5148B5DF0E4B3294C001A01AD81A4
                                                                              SHA-256:A26CA014A17928D1EDF1C1560B4B3E53F856C2AEF88C293EE78F6CDAB15FEF91
                                                                              SHA-512:7AA4B8756668DBCE4C5232EF7334DD7867E9F5107941E0F65BAE3FBCBC510275E69983372F03BF8A939DC4B4008F41470736D720E25969C5D913A5EDA9D40496
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1994448
                                                                              Entropy (8bit):6.549997020090568
                                                                              Encrypted:false
                                                                              SSDEEP:49152:3l8U9+tiqfG7C+5I6ZOX0Bh4MdDHc/EBRXXZUABfmcQ:3l8+++7hOXODHc/EdQ
                                                                              MD5:4BE8C1392D391FEAA6FB26CFA69BDFC9
                                                                              SHA1:FA3209AD786AB39EF8A4EF173E9C7291A9BCEB18
                                                                              SHA-256:2F182A705D4FED647B1BEC5729151DDC040EC3778825C212158B070F7BF06975
                                                                              SHA-512:1D77C2398EDA378C14EF19511C0A490BDCE2437DDF2E28BC9A85E1ED04991DD5FAA178C6C9E6019165C74DF4E8BCCEBDA6973D40067C019911B019AA3BC26677
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):275872
                                                                              Entropy (8bit):4.23571320386301
                                                                              Encrypted:false
                                                                              SSDEEP:1536:JxqjQ+P04wsmJCt6gJJRaCAd1uhNRu7z3zHt4s+zbCtbCc0xXNmi9RHYOqEWpVO/:sr85Ct6gxe7z3OzY+9jTYbE+la
                                                                              MD5:CB1984EACAD27ABC9F009A4AD963A49A
                                                                              SHA1:5C6C4EC164A7C41332B605C6D9817030A473BB48
                                                                              SHA-256:DC15534405AA721E4B8F70A910B991ABB4F4F9A5A823A985110D56BAC974B881
                                                                              SHA-512:9806C1F7B4436442159BFD3D1D74308850072A343C059C3749BD5FA4DDFEAC9DAB3ED61E5A35A5E1CC717C3CDF2735B93FA1C99D5A27E1ACD276326D17E5ED06
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 100%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):751520
                                                                              Entropy (8bit):6.5238755488474665
                                                                              Encrypted:false
                                                                              SSDEEP:12288:PccV8BFJ0kz4uP9V6wY2M48aVNfffNfYRweSat8UVNfffNfRtAUUn4lDW7f5sBzl:POFJbl/6r2M48aVNfffNfWVNfffNfDw+
                                                                              MD5:B3C7E94C586500725E1F446C6A930D91
                                                                              SHA1:54719B158873B1E2402767498F31256321D856BD
                                                                              SHA-256:1A5CEC0A13524316A7D6646039EBA275C22F22CA164F30B4F50316220F299441
                                                                              SHA-512:089FE8377087A4EF69D89B75BE8E3442D5C20930C27E7E7FD24E455C96397FE8B7186E3DFF7F1B1FE71853A0C367EB392B6B59B1DCD726C1BEC7937D2BFE4E07
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):182712
                                                                              Entropy (8bit):6.326834639732507
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CRDbGpEPwVH+lMCNy0GEVVS1ikLrDdevXqHai8MBEL4:k9RXSSwVgvfkhvzHcWEM
                                                                              MD5:9103C2F76BDB6251CE480EE775266524
                                                                              SHA1:0F0C95B1A253D32BB23A99A72F5A77D91387A6B1
                                                                              SHA-256:D51F101246783235E88373EF28189EE54C97F41E46341BE0AF0D4DC455016E3A
                                                                              SHA-512:8F9598DF6E31EC58FDEEDF42E9A60C42ECC3A278E546614AA36177995DB61F3E2A3887564A2707AB4669082AE3CB2FAB5765D251F7970572C232BB1650216FCA
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):5174360
                                                                              Entropy (8bit):7.263311718032684
                                                                              Encrypted:false
                                                                              SSDEEP:49152:b/xFnOvtaWIDn0apLKkLJU9nU2foKhA4vSWidGHp+NDGQUzbpDOfjxAkrQKl+RPp:NtLK3BDhtvS0Hpe4zbpaAKQkroGIz
                                                                              MD5:1A968E122913ED79596A9EAA5E7BE7B3
                                                                              SHA1:96978DB6766A4827206397BA4E8D75A3E3353E7D
                                                                              SHA-256:C43AD12F1E78AE1817854FB54903030A89A2023E76D3A2CD6C6275B3AB1C21B0
                                                                              SHA-512:56217DD430159D591109231B2F657484BA7B5BC7DF832668A82A4DB8D6A925183633CA9E68C46E85EF759B617343A13D1CED3D8D91A082A87FFCDBB6E795F54F
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 97%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):139712
                                                                              Entropy (8bit):6.527583416477957
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85C4U5adWAKmzUccnzkVBgEuKjj0WWtPPoI:k9/+EjzCg+j6P3
                                                                              MD5:EE3F4F49708A511BA220F4C073C8E933
                                                                              SHA1:727CE23C7427FD900FDBBF06715F9764F4F24848
                                                                              SHA-256:9A7F835403920D85B948447C007988E1C1271D86F87293AA1D1C9DCE4EAD3DDA
                                                                              SHA-512:8BE2A84BA4F7845369ED052DC4E71CEED8E3B9C075D66BBF7FD1E1A5935CB50EA08F63AEC2B2EA8CA35DEB001F71EF2AF71C2E185D37A75FDEEB2050C79D7F74
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):380368
                                                                              Entropy (8bit):6.677799145653771
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9XzgSb/029S2P/7nzGxFrRN0r0ivCZci1FXiO8DaS4wwE0CBlFJmcx:bw/2q/roN7ivCZci1FC74wdBlFYU
                                                                              MD5:3B22BCCC611D93FD2228E3098C8909A2
                                                                              SHA1:46C93B6587FDD25B710E6C0D0ABC426132DEBAA0
                                                                              SHA-256:FC06A5FADD20D729E99EBF82D696F982352147C7A96C7D55D5FF1F7CF1DA9575
                                                                              SHA-512:D98A167BC857DF9B7DD4FF2150AF495DAE0290A033C868E3AE00BB01CA7C68EC5D37C75D18BF88B87564CF9E38252360F0914E90AFB64A34929A579C691CB9DE
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1269696
                                                                              Entropy (8bit):3.750731544998065
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9Rvk8/0NhFYAddenZhUhTNnLUrh+9nTGLljX4wuSzVF:y4wXF
                                                                              MD5:9344D6088F4232059CC71D89680C627A
                                                                              SHA1:B6D50543A01F017F333CB69897FFD6B39DD0430E
                                                                              SHA-256:4C9373C646419B656C368FACB9BF903A3BE6C167B7B20DC6BB0D710AEC498FBA
                                                                              SHA-512:5B4229DFA9B17BB50F8A3AC1BDFF09395A5B1C0A25CD7B1953297CEEDE312C6DA34295DE61A62DEE6BEDAC1D130F745DC6704E77C8366D954ED72A0914B27CA4
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):266648
                                                                              Entropy (8bit):4.190895884532524
                                                                              Encrypted:false
                                                                              SSDEEP:1536:JxqjQ+P04wsmJCgRaCAd1uhNRuiazvhzpwtWhz7I3EWwwrwYx6RPWdn6ysl4DU1:sr85CiezzvhF1h3wEWwwbx6ksl4D
                                                                              MD5:CB076D561CC084FC380019159755CBFE
                                                                              SHA1:911BB4A2E39DDE9197ECC4678367212B1AA253FF
                                                                              SHA-256:F9042977D236AF4627461B5F538823FDAD2ADDEF84EF202E0B75ED409D48E3C2
                                                                              SHA-512:68736CFD5E6488DFB24D65173726EB819DA40AEC1FF7EC6CF4F39A15CFD3AEEAC1672364AE50BE5A417A10A6C50E4546F1947BF323C3FB184802F903455434D6
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):715760
                                                                              Entropy (8bit):6.523751448498997
                                                                              Encrypted:false
                                                                              SSDEEP:12288:Y4tuuLntIMDXw5vde5EFf1Pmbd3lSz3dfp1Swf5M0blmFKuJOJZM30j3:3tFDKMg4iX3djfy0blmFlme303
                                                                              MD5:0E537E151DF5C171C213A1F44DC5F0BE
                                                                              SHA1:E8EE7F0D91D69DE3FFDB1E91E1DDB404813B39C1
                                                                              SHA-256:CF49D45B6A84D77F5E9A722FE7182CEF9325A355D885BEEB4D1DF3D88C1CE212
                                                                              SHA-512:4968DF9F4DEA49214638C86D73A03EBF4BB93E3242022B933B20E47B22AE65F77F57667B701A32A2779D63667CFE718ECB67B55E317402B140210757439FA4A3
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):619944
                                                                              Entropy (8bit):6.639567335107148
                                                                              Encrypted:false
                                                                              SSDEEP:12288:ZM/Of/Bboj+clWnIKgrP6TFPLNWuX4Pemn3oi8ky9Q8WSe/aSqizuO1qukdQAPnQ:i8JgryFPLNWuX40RulAPn1OcnGVNfffl
                                                                              MD5:7B39C44B384E1A5940D5A5E30C8D3E91
                                                                              SHA1:26B7AA2EFF58E1D4124AC8C70766A15470FF8BE0
                                                                              SHA-256:EE9FA9DF2D9125438C869924D9ADF3FB141F0D4C4F05C84D1833669E15FAED31
                                                                              SHA-512:2E8D640CE261BCFDA809A0E896662C3AA5F5792AED0938C75D0EC4B5CB20BCF6895876E44228AD7B448D908EA4544EEA88F7F4B8D379B43B8BE53F849A948054
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):150416
                                                                              Entropy (8bit):6.5018296889200915
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CCQPtLW7twRxI5mc5TNN3AsdVgNwihwT3RqEM6ZOfHXb42:k9CQMzhdV0nh4Hof7
                                                                              MD5:3FE6C68EDBC948A6D2775DD2EA56088C
                                                                              SHA1:2C03FCE97D064B53F98EE100E5627418514BBBF7
                                                                              SHA-256:5681B2A8F44A21E3E1D63B8A99100A453F90EE1E3773240923164922F481B633
                                                                              SHA-512:2BFAECFF86EEA49F3B79215CAAFE401FCB65D74B4A0757AA79E439A7AD90C52E1E43285B438368676D5A08E20B37C349AFFD362F7CDFE7205CFF63E445345819
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):264576
                                                                              Entropy (8bit):6.643046809005812
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9y872jsLuLnPo2TTHswP2TGz3FUCHySYI:b+2jsLuT3MfTGW5I
                                                                              MD5:F85301DABBF0103EF7202407D2DA6489
                                                                              SHA1:6BE78DB8650184DF98A1B968177E75BB782063BF
                                                                              SHA-256:8098FAFAF941BD5678FB8B72F560E1AE06EE593C2432163A56FBC60D8FA43495
                                                                              SHA-512:E5656464BC5030232CA6E0EC58BFB5F2116C6E464CEB1CABDAC941826876ABF3F108B18FF5785779C7B75D153E01857CF37B49D88E2180CE515B02E344583863
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXE, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXE, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):108448
                                                                              Entropy (8bit):6.051786357762204
                                                                              Encrypted:false
                                                                              SSDEEP:1536:JxqjQ+P04wsmJCMweqz1lezmtJwzojsKyyJFGgHZ//rHzb:sr85CwqzXe0wSyyJFD//Hb
                                                                              MD5:C4E2228168447160D7F54331ACE1BAAA
                                                                              SHA1:7878BAE3585B8F37E389DEF0A2830D0C72121CF3
                                                                              SHA-256:99173D535320C612AE308D5AD58FDA6F6B8EE5AD261F1E038421D2FC53767AA2
                                                                              SHA-512:ACB3DCA4F6AA6DCA468BA4A42BFA3003F7A4BB0AB18A2C2F99A493C5765FAB5067FB3865C0C02AD6960439AEE89FB2C166BCC90B6A77FC9CE21DC8C1F4B0037A
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):662600
                                                                              Entropy (8bit):6.001086966772804
                                                                              Encrypted:false
                                                                              SSDEEP:12288:Vpo/FEVciSJJtH4PoR6moWEBfQLxZPhEx7xgtV2hv4tkYUK2tlIqR7lmNK/IKrtK:QFEWi4JtH4PoRfoFIxZPk0NKbB0R
                                                                              MD5:A21FA1DB62F89FAA23E737BD8B609F8C
                                                                              SHA1:62E374C2F71DCD922D6058D735C944A66076FBAD
                                                                              SHA-256:AC414AF78ED3914B1E6EB7E4598F400CA7631BC3AA4C8088B0DF5617AD04967D
                                                                              SHA-512:7485D968298DC04AF7A2297DF77C83EE5A25BEB0AC14932445063EF075FB2CA565AA67E5CE0E4376BFEA7DD31B1B53E66A061E8B8C535887BCA998086132DF94
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):260560
                                                                              Entropy (8bit):5.4470915703839395
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CH4ZAh7ULoQdHBjw8Q2pFj4+W1ISYpksZmRohnonRBfTjzJEthEWV:k9HPfQdhMuj4VM8imPjGthEWV
                                                                              MD5:034F80923F37E7A9899DEA48FBADE531
                                                                              SHA1:40E144C96F7DBB162F02833B01A7F416D65D4403
                                                                              SHA-256:521D052B5B7EBEA5EFF613B52FF7ED2659B4D2A521D6A19A6A146C3CE35118B3
                                                                              SHA-512:2275624F5C92C4B4C606D5CEEBF69F072CC1B7ABA2DAFE8AA7FB672F3B81A8BEDD339EDFFB41192C51CB0F48CB9EE76E090D7A43DE9ADA19D0B8BF2D099C7059
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4316200
                                                                              Entropy (8bit):3.920672560845374
                                                                              Encrypted:false
                                                                              SSDEEP:98304:/YN3nsBQ5ghvEyqf/whWovz9hRJ5RbisrbdsPO9jXsw:QN3nsBcghvEyqf/whxz9hRJ5Rbisrbdr
                                                                              MD5:47939C01C26C95ADA390474944E9F9A6
                                                                              SHA1:9CFD7A3DEF7081BB3C54584E2515C30C7C04AD76
                                                                              SHA-256:9B0869B5057FF84777E81C2D0E0A1E97AB5ABDDD7D80C8D4C94B1C83A53485FC
                                                                              SHA-512:0F342D003CAC4046AD71858225DACF6A42AADBB4F28F0F022C1F6C5D37D37355341B9F6DF8941AC310324CF853AA141195BFFFC4A1C9935558FDBE387BC25E26
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):124056
                                                                              Entropy (8bit):5.727061682781764
                                                                              Encrypted:false
                                                                              SSDEEP:1536:JxqjQ+P04wsmJCMwu7mzj9zNtP9zNps8Q:sr85CMLmzj9P95psb
                                                                              MD5:9A2455DBF03A4E060F7BCCA43DD3D64E
                                                                              SHA1:D4FEB7DEF1FEB03CB7E86EB57D43BD69E8596EAE
                                                                              SHA-256:0102394DCA78E8B630B3C9613E0C9C620944218FDA84E1E129415E6F972495C3
                                                                              SHA-512:DEE619AC553F0DE06058BD118164D4A8E4B93A7F20D4B098E5D5AF9338CBD12F5CE94F054B92FDF435BE87596FD154904968FA96970887993418A3B41EAEAFD5
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):358336
                                                                              Entropy (8bit):4.514937306069578
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9eyUkKOEEIK128d2VKjw0EYsfZJnPmTuJjac2a51lHpLszc/kzY56Y:5x/B/kib
                                                                              MD5:C3A4840C5D7823C978C55DA5DA54DF16
                                                                              SHA1:BF3045BA5D19667D7B3CF1E9CDF52C7CD7CF1101
                                                                              SHA-256:9EC2D985D3ABDCD53FEAFD25DCA72990C37718FBAA59BC4879B941561870B369
                                                                              SHA-512:4E76AFB30D33518576E53057C04B8321BF3F209EAB57389C548D3C67DDF968831DAFC74264DD573D9331D74CBB31FE2B09F6149E7786A4CEFC6ABFFAB42F7084
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):763032
                                                                              Entropy (8bit):4.116647791553155
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CSwRnjnzhCiXXXXXX1AzZwAazTwdOLxN1IHO:k9SwRnj7XXXXXXSzuz8OZ
                                                                              MD5:5F6E2215C14D1B014007317077502103
                                                                              SHA1:B60E82B3994D4612280E92F8A904EFE995209D61
                                                                              SHA-256:0F15CBFD62C0BEE02B273A9205A780C7440B70E99391E8155D05930DAAE487E5
                                                                              SHA-512:5E77C8AD2B79A4C5F153B90316CB22D1C09E5E5B5F7DD888EF931B1C2CAAE396B1D09A3874A173ABACF19705979C54FFEB77411E580F91258CF1D9A5B3F8D6AF
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):895120
                                                                              Entropy (8bit):2.966305885964938
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85C+fCEq7tOxIfMFzCEpAm/4rx7z1arf+9:k97z8w
                                                                              MD5:379B19683AE0BA12E72D1E6CA8CB1612
                                                                              SHA1:4B48C8899121137D5637838E9610608245975078
                                                                              SHA-256:3C6082AC7C3AB5EF4F0A7DF17497760B96C77BDDCC8A753881006E74C39044E6
                                                                              SHA-512:CC8F80347BA3E0BF5EB5E4B90E28FFE23FF1F5B18FA1E0AE9DAEB27CBAC51E52053C9173332C2688FFCAAF2CC84EBBBAD31386F6F6BF7DFE2668EFB7D1F2E9E8
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1082008
                                                                              Entropy (8bit):3.7745537489281356
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85Cko4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:k9V243xmQm59UtUSfz3
                                                                              MD5:3257CDD51A6A354CEE4BA01A54D63EAE
                                                                              SHA1:5C1A13555616FC7AD988E3A5A847D9173FB70513
                                                                              SHA-256:80701AF68D14CA8ADBEA6729B8B714B916A9A7654B76748D6E43466C7665249F
                                                                              SHA-512:CFBF67F80E74DE05D945B8BCA0894047D96F23C4F9BB31EBD0AD77BF7CE2F20036C8A2F8CC3281680BD0FB71EF24ECA4FA5E795CC930234B59D4598E15BBC3B9
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):105440
                                                                              Entropy (8bit):6.087841458302814
                                                                              Encrypted:false
                                                                              SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJrrZ1jL9zxwKeL9zgt5tjTh7D9:JxqjQ+P04wsmJCIjhzxwKehzgt5t1D
                                                                              MD5:22753C1C6A88FFB01068FF391B0C3926
                                                                              SHA1:FBC83E06E31A9EE5A827D90481BEFC36EBF085F7
                                                                              SHA-256:E727CB8EF6D54A511C18E4FC92AA94841AAFDC284942398D35D1B091CB97D8B1
                                                                              SHA-512:CAB6DB0DD9EA2260979130415158FFAA22B6DA8E281138D2CB1F569F09384A3E5A5C3935B8B8DC76935F82D9CEA7172904A35ED23678CDD670152E065F20D64D
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):537536
                                                                              Entropy (8bit):4.968722692341351
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85C9PMMRMMMmMMMvMMMwMMMNMMMWMMM3MMsewVOOMzMMvMMOMMMJMM2MMQM6ku:k9EwVR6V7byjUWAZyVVdz8eEdGo
                                                                              MD5:A72A576B968347739046BEEF59A3B97A
                                                                              SHA1:545247805365655FF64D1A70F672A43D2B4E682E
                                                                              SHA-256:A1313CE60D736ADFE281422421401E327979DDD34945A4194C66E9235DAA884C
                                                                              SHA-512:9850A6A6B5310C2437964C199FBDD860CA202A7C78766A0F710B29FEED4541CF09307B9AEB74BD7455CDD7A1D7B990C78285B7A79C699B9BF65FC4426649927E
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1271952
                                                                              Entropy (8bit):4.084096712356835
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85C93ppPpNpDpspp/pCp0pmppdpspppRppMpLp0ppppbpQp2pphpSpXpQppapG:k9eKQSNdhnSzv
                                                                              MD5:892E75C95404B2DD9A4753F53B530F5E
                                                                              SHA1:6B9A7C5827A767520B61E3192BC3951466CACB35
                                                                              SHA-256:8EE17679C7E631E0A80CE70778CB3A7BBD044E5C57BDC65526973B421EED3AFA
                                                                              SHA-512:E7509867E5D3AE99368882A008921086A38F8B890058DCE61EF4C95CE20B7F9B5B1E88F4F038BC792F70888349B27E978F559DE287D7E89C979777086FA1D286
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4099760
                                                                              Entropy (8bit):3.7180860871313963
                                                                              Encrypted:false
                                                                              SSDEEP:12288:uBKs7fvZIFpCYVIVN2mGsb8HtVLaHw3j4cLbUBRjLFP29DyZbT9gb/m06aCzE6h9:uBKszX0FjOeblHiled/k
                                                                              MD5:C192144B8943B415548AF24878815096
                                                                              SHA1:4DADFF2BCB636AE059DFD73067DC938EEF5CC725
                                                                              SHA-256:45AF4FF535E765EB6973B13C76A80D6A9F4FA4D0B3660FB5D5831718DAC21C38
                                                                              SHA-512:C50A756D3288E1F779E118892C21C3908503D6D10FB8DDFAAB4F34C5D13A71DCE97933B6977B3AB83E344B0741305532BBBB5C9AF1B6B7F6CB1E1526F51330FA
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1273488
                                                                              Entropy (8bit):4.319301892791611
                                                                              Encrypted:false
                                                                              SSDEEP:1536:JxqjQ+P04wsmJC4qYvbZthqyEATS583ONoTqzaezuC8zFtxzzqO9uF:sr85Cf6bZt+ATS583ONo4aezJ8ZfqiA
                                                                              MD5:025B19077CDB23D9DC885FEBF629CDC5
                                                                              SHA1:B7930EDF5AF2089834CFA6DC190AF5EDAE20831D
                                                                              SHA-256:78CFA64C50350F824AA2C627FB54D8F06E444810669198074A06CC5AE743D62F
                                                                              SHA-512:C1134FFEE3CE07CB19BD9AFED8986C98588A27EFDB6E8BE72B1571FFF7B18F4014BACE244074FE2846921EDBEAB308058FE93DFE7E17CCB46C225035E4513F68
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):124056
                                                                              Entropy (8bit):5.727061682781764
                                                                              Encrypted:false
                                                                              SSDEEP:1536:JxqjQ+P04wsmJCMwu7mzj9zNtP9zNps8Q:sr85CMLmzj9P95psb
                                                                              MD5:9A2455DBF03A4E060F7BCCA43DD3D64E
                                                                              SHA1:D4FEB7DEF1FEB03CB7E86EB57D43BD69E8596EAE
                                                                              SHA-256:0102394DCA78E8B630B3C9613E0C9C620944218FDA84E1E129415E6F972495C3
                                                                              SHA-512:DEE619AC553F0DE06058BD118164D4A8E4B93A7F20D4B098E5D5AF9338CBD12F5CE94F054B92FDF435BE87596FD154904968FA96970887993418A3B41EAEAFD5
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):2970664
                                                                              Entropy (8bit):3.8530507327775085
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85C4Nd0qVmvzC1SvXKo3NzbsZ6DdIAZcbEcofUnpfRII8Lp9qgN3WJp0Rf5NGu:k9I/V/CfDhNG5sMXjjzmEPoL
                                                                              MD5:AB3E9B8C0565CB076490949DF074D582
                                                                              SHA1:F5BEC2D8CCF13A10D82C27B9A14289A009DDDDEB
                                                                              SHA-256:1C4DA1D108B71EE639AB846128E5F08D6E5EFA4D5BE02C2862597BD4BDD96DE7
                                                                              SHA-512:532493C141AC8E3B5FFD99E0F13AE8A26E4838AFE7B282A02C62B1BD2B7083DD04EE1E39B8A2BFC559DBB7B8CFB6D64D146BB20593A0FAC64E41DB5D81EE7287
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3531712
                                                                              Entropy (8bit):3.78009314420001
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9msSR7PYKzz38YwZItvsDu7DbDhRAUzHW:ZPYmLWSDBy
                                                                              MD5:3AF0E40A55AEE11DC01E0F1943041494
                                                                              SHA1:ED8F0489550B78892E6FDF80784CF5D672AB3F2A
                                                                              SHA-256:8A8212E9F7615A590E3BD2AF07E650FEA60CAC875388F57F7AD1CBADD65A11E9
                                                                              SHA-512:54741EB3ACEADE514E1E305A9D4937C59266DFC20F108F9A87C56EF283519A8CC6DAAE1953706A20860F390520C48C0BB5A4482C751E335B45A0E5858967D765
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4319272
                                                                              Entropy (8bit):3.8126753798312922
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9GmRfvlTZY/C3ul0ywb/uXMo+YJ7M41zXLWIB:z+6M+595B
                                                                              MD5:A914483FA2C2F86E415633657D33D59D
                                                                              SHA1:E687C9ADB19340050BB434F1A309290C72D0DBD1
                                                                              SHA-256:42B15769C1B7B74FFD9022A9E377783EE59F1F75688E1345D1A09DBADBD3102C
                                                                              SHA-512:1784002A4E99F5DC77C4DEE11FB25E413A2840F4FBA5C001F40BADE7A8DBD172B363BF6EBF66883FA2A3FC0B03E3ACDD5FC485EF7DD3DA4493CDF93D8C2EA4DE
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1082008
                                                                              Entropy (8bit):3.7745537489281356
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85Cko4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:k9V243xmQm59UtUSfz3
                                                                              MD5:3257CDD51A6A354CEE4BA01A54D63EAE
                                                                              SHA1:5C1A13555616FC7AD988E3A5A847D9173FB70513
                                                                              SHA-256:80701AF68D14CA8ADBEA6729B8B714B916A9A7654B76748D6E43466C7665249F
                                                                              SHA-512:CFBF67F80E74DE05D945B8BCA0894047D96F23C4F9BB31EBD0AD77BF7CE2F20036C8A2F8CC3281680BD0FB71EF24ECA4FA5E795CC930234B59D4598E15BBC3B9
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1082008
                                                                              Entropy (8bit):3.7745537489281356
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85Cko4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:k9V243xmQm59UtUSfz3
                                                                              MD5:3257CDD51A6A354CEE4BA01A54D63EAE
                                                                              SHA1:5C1A13555616FC7AD988E3A5A847D9173FB70513
                                                                              SHA-256:80701AF68D14CA8ADBEA6729B8B714B916A9A7654B76748D6E43466C7665249F
                                                                              SHA-512:CFBF67F80E74DE05D945B8BCA0894047D96F23C4F9BB31EBD0AD77BF7CE2F20036C8A2F8CC3281680BD0FB71EF24ECA4FA5E795CC930234B59D4598E15BBC3B9
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1082008
                                                                              Entropy (8bit):3.7745537489281356
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85Cko4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:k9V243xmQm59UtUSfz3
                                                                              MD5:3257CDD51A6A354CEE4BA01A54D63EAE
                                                                              SHA1:5C1A13555616FC7AD988E3A5A847D9173FB70513
                                                                              SHA-256:80701AF68D14CA8ADBEA6729B8B714B916A9A7654B76748D6E43466C7665249F
                                                                              SHA-512:CFBF67F80E74DE05D945B8BCA0894047D96F23C4F9BB31EBD0AD77BF7CE2F20036C8A2F8CC3281680BD0FB71EF24ECA4FA5E795CC930234B59D4598E15BBC3B9
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1082008
                                                                              Entropy (8bit):3.7745537489281356
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85Cko4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:k9V243xmQm59UtUSfz3
                                                                              MD5:3257CDD51A6A354CEE4BA01A54D63EAE
                                                                              SHA1:5C1A13555616FC7AD988E3A5A847D9173FB70513
                                                                              SHA-256:80701AF68D14CA8ADBEA6729B8B714B916A9A7654B76748D6E43466C7665249F
                                                                              SHA-512:CFBF67F80E74DE05D945B8BCA0894047D96F23C4F9BB31EBD0AD77BF7CE2F20036C8A2F8CC3281680BD0FB71EF24ECA4FA5E795CC930234B59D4598E15BBC3B9
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):582184
                                                                              Entropy (8bit):6.400758373600043
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9KLWET8DS698nGX2OduCwUJWh/JmmS3DAjqnkrzFoEh+vMKC239YUFgBdQ/:DLxT8DhyiLduCe/lSpn6zOvYUFg4/
                                                                              MD5:C0386A35F92FB82637471B03FCA1F0CA
                                                                              SHA1:08E07F04682C582336D3531610A20DCD38CD43B9
                                                                              SHA-256:77AD987963ACDD9D867BDD33F3778088B9AC461334BC4A1E49A4982D325E702F
                                                                              SHA-512:E6449FB51F16A1674365D4CE644DC0148199524E9D9DACDE0FB17B26C0C4652C924BB6CAF284AF125958632B9BCB111069EB6FC9EE1A26D83B15F67EE8DA365B
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3837992
                                                                              Entropy (8bit):6.4449937551945595
                                                                              Encrypted:false
                                                                              SSDEEP:49152:tB1sstqMHiq8kBfK9a+cOVE/TqEpEepIkRqqUu9wg6KFYso8l8EK:5HzorVmr2FkRpdJYolA
                                                                              MD5:D7932DE11B8AD54A41413381EAC41AC2
                                                                              SHA1:8B383BA02414803CFD515A8384434AD5CBB70231
                                                                              SHA-256:DC1F4FD1F3F718C6965F038472EDD640437CBE0BD2B77E21945073AF404CB90B
                                                                              SHA-512:48C561E17BD75181D3ADEDB41F1172BB95163E3DC5792DA212C218F80878D45D3C49BEEFE44E76BCECA77EC644A83A16C59316CC2178A976D91347D389B3741D
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):161832
                                                                              Entropy (8bit):6.154443017106145
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CX2VSd2ga8KActASiZAkXS1xU5M3XgcoT0cs4qIm6Y6:k9mVSktVjv3Xg5T0FIY6
                                                                              MD5:6A0721A64003242C799CF2DD85B0713D
                                                                              SHA1:AC7451D1A042B9980D506B43237C5C8A3D218989
                                                                              SHA-256:88EB264B7A72C62D8FC399469E7E573BEE906C8939513F3A869656E5B667BBBD
                                                                              SHA-512:B3F3E9DB4126A6479E6CB455FE8BCE1F8BB108270C2BA9C422E17932E901A65CDFED66DAF2A11C082BC924EC9EA51484418F4F09990848B91912BD3E1EB63AD7
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1827880
                                                                              Entropy (8bit):6.540770888228441
                                                                              Encrypted:false
                                                                              SSDEEP:24576:bhDdVrQwm5ztlU0A7fMAHmpmZ3QXE/0/lVaLpmasGvP0:bhDdVrQ95RW0Y9HyWQXE/09Val0GE
                                                                              MD5:624A5B15DE2385F6CA42DDCE0E24D109
                                                                              SHA1:13FE13198A9BFA24774EEA44759471B31EA439E7
                                                                              SHA-256:A7DF6A45B54B30014DB94309F3BBA50A1EA8EFB8EAD01682BAA6826E533418C5
                                                                              SHA-512:CE244B2DAF739BFDC491C28129CA6504966CAEFEA0BBE16871522089A825133F2C1609D51266058A62D767F3624C514421F09D50DAC5A11CE26B5C8B804A641A
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1297448
                                                                              Entropy (8bit):6.514786717345656
                                                                              Encrypted:false
                                                                              SSDEEP:12288:bdoA0Eh2XptoQZRuefMYR6RrAJU9CsxmMocSipEylqFfouDMA+nkSddSDBDIq:b70E0ZCQZMip6Rrt9RoctGfmdd0
                                                                              MD5:C9FE3D4AA1438A059AAE69A5D8FA4269
                                                                              SHA1:288D3F38B4A6797E15187C00A24D0AAD1B5BAF60
                                                                              SHA-256:913E86233F11A6A269DA1A324D43C9FF737A9AE0DE1D9DE59D0AD961137B9F2A
                                                                              SHA-512:0775ECDC44DB15BD92B103F75410BCB4079D7165C6FACB7CD0DBA091DB94E4A6648A85563FE24E33D862E16CBA73993461533D4CE196078FAF6AA9030D39C288
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4251688
                                                                              Entropy (8bit):6.5065813007912885
                                                                              Encrypted:false
                                                                              SSDEEP:49152:vpawZh+vD5oLv9eqJ/iUPnspBu/MLPgyLMLQB4gQDyJ0ryMOAqk9l/hO2y/BT:EehFLvTQDpB5oSOmlBl
                                                                              MD5:23A855DD7FA34F616F73B392E464E216
                                                                              SHA1:EFD849CB22D1D33B16D6FECD54C318B0A6E222EA
                                                                              SHA-256:E198D71BC75B0E61DD2F61080062B4E41ACDFC7F7FF148CB11839DE3E0523A27
                                                                              SHA-512:8B4AF629B2022F10FF2D3FD4D4C73F9B23CE085B08B70FB29044D03F0FBC498BADF4D62854378FB0A0E6A2DBE2848D0B83550C3F6C3C08CF05C50C81B04B6A5C
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1319976
                                                                              Entropy (8bit):6.504627467158373
                                                                              Encrypted:false
                                                                              SSDEEP:12288:gyeb4D2VLtrQA1Yim7XGLZxHwlqxlThfkY8bo0cITiLEpPoVfMA+nkthF2g0oz5:giD2VmA1YXQHwlklb8boUuWPg2gX
                                                                              MD5:ADDCC10DC80D3B994800C6B44EC0B5E6
                                                                              SHA1:C52E9B1C03747A2B4F350E6CC288851DE64AC113
                                                                              SHA-256:03B114F2F97AD84613CAA8E5F964D4C8BDA56DAC8EA9C680A1DFBC43449EA14F
                                                                              SHA-512:74E250EA454D878ABF1F9CA3E7AEC66600A5FC785555FDF708E22103D51E939072A0B28FA7AAFD847D370DC03781F723B216117361389A3F87F3F93874D26AA1
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):2327080
                                                                              Entropy (8bit):6.531478857250512
                                                                              Encrypted:false
                                                                              SSDEEP:24576:+fD3zcv9ZhsSGSQoryOzozU63IqRNhB0kDKPHkkkkkkkBoIeAz:+fD3zO9ZhBGlopzM3HRNr00z
                                                                              MD5:DB94AD04A7559F74A92620CB04373946
                                                                              SHA1:826B3FCF77456D83544CC451561FC9DE5978DAEF
                                                                              SHA-256:8FC9FD66947D8CB6D1BA902B3174924A872176273E4B9545CC05F2486A0AED73
                                                                              SHA-512:E5705F611A87C57C2172055A947CE5BBA675605319525FC2678D317625826A9893D1149911640796BAF0305A94FC76BDB79C8F31D7782CF113A8904B3AD41100
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3790800
                                                                              Entropy (8bit):6.537921104997593
                                                                              Encrypted:false
                                                                              SSDEEP:49152:OTaRe7mkn5KLvD5qGVC008Jpb4tgLUgGEsLABD5wTQh07yrLMLl9YPhe:hI72LvkrCpbxJRoIMx
                                                                              MD5:5750A055DF2980C145707A60B2CDE7EF
                                                                              SHA1:26774B8B7BA30DB32A6AF0A6C7FCCCE981823474
                                                                              SHA-256:A954923EC03888AD38B22F135037F62F520988C5A5A87676882A2B972CEB54EA
                                                                              SHA-512:229FD22736C66BA9D5836F2D2A747D4B761184BA134C818D91B443E255CDDA32CAFA4419CD19AD49915CE20206D865F4B7F9E0B388C20298857B5BCA5CC4217B
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1535528
                                                                              Entropy (8bit):6.517840298614509
                                                                              Encrypted:false
                                                                              SSDEEP:12288:q406WoyJHeFOqDRA7uKk+TjnkgiMnQq+UI7MBImQWkv7yfOYIXbwohMA+nkXZnHC:rW9Jml9mmijZiMnF+ZxmQWcbLw8Vi
                                                                              MD5:366FA8E2786C71AA81D106EF9FA15233
                                                                              SHA1:B626BA440B5EB37132849B697AF040A7E462E0B9
                                                                              SHA-256:1B87E233A5CAEA65CD8D8EBC91AB48A42F18FC9991041599C202EA85995EF24E
                                                                              SHA-512:D596450A8A03F6894982DAC3861C4E34339521F70DEB5073343F19565DA47A168025DFA3C1B7178677C9116A22F6A499D1277F28D1E6B829743D949D9592A848
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1273384
                                                                              Entropy (8bit):6.516053672496002
                                                                              Encrypted:false
                                                                              SSDEEP:12288:C5eN+kL3gVeYt/uakJMtleRO40BbdJrPVJAzAlPY6mYzJuomPMA+nkVogIkd9:CwNHwoYhua6MtERO4qbBJTY6mY1uIgp
                                                                              MD5:64A7111DE17E26E2B89E10AE82FED662
                                                                              SHA1:911E048F0336C9BBA3DA35E48BEDBBF04B4035A9
                                                                              SHA-256:3C470FD7B87FCEC230016076A57F77324766326295D90138E4A780EFF0DD36B9
                                                                              SHA-512:65A8D9276DD61A9666323D4A73950D854422B43BFD4D43F83AEB1895DD3338869216A53930B10B753347B6C8DD6338FCEEB3336E41730DCE74CCC01FA7616C5B
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):582184
                                                                              Entropy (8bit):6.400936059459134
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9KLWET8DS698nGX2OduCwUJWh/JmmS3DAjqnkrzFoEB+vMKC239YcWegBdQ/:DLxT8DhyiLduCe/lSpn6zO3YcWeg4/
                                                                              MD5:A7CDA373FCA11D6EEB029FD727F6DDD0
                                                                              SHA1:1276A053735941055356FB1F80E1AA7B86191130
                                                                              SHA-256:FB3B99A2E3DCC779262766AF821F1FFBF97381285C647EA0CB4D3C848E864EDD
                                                                              SHA-512:6292B1ED042D35BF41C7122CE0729A10CB539675BB23902BB899BC48E4677B970A21C052B336DCF61346243BC2B8783FA9D645090F876DD95A4AF44FB9167D71
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\Installer\setup.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3837992
                                                                              Entropy (8bit):6.445010152117068
                                                                              Encrypted:false
                                                                              SSDEEP:49152:tB1sstqMHiq8kBfK9a+cOVE/TqEpEepIkRqqUu9wg6KFYso8nsct:5HzorVmr2FkRpdJYonf
                                                                              MD5:638DD04FDB80F09131230BAA866C7F33
                                                                              SHA1:E4970BC6E400A41FE00CCD7C2EEFB663A06A1521
                                                                              SHA-256:DEC3FCCAF14C63D3F76E843C4973D0C42AB43500BC0C4E244661FA33A32FFA8C
                                                                              SHA-512:B29CD904E9C3176C28BF5316F4C88B1ECB582310CD61C87F934F42B00453D809B6BB4B9C81DE262C55BDE391D673A71E2B16AF7ED7205B656971792B0AE487AD
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\cookie_exporter.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):161832
                                                                              Entropy (8bit):6.15462571311845
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CX2VSd2ga8LActASiZAk6BKuBeU5M3XgcoT0cs4qIm6Y6:k9mVSFtVLA3Xg5T0FIY6
                                                                              MD5:AEC97F14CB32E4473CCFCEEE3414630E
                                                                              SHA1:FBE10ED6B17ECBB49B5749ECC13D4F82FFCC2105
                                                                              SHA-256:0A831E125B2A928C8A77A4D235AB7F78E7F68396E675A6C7EE83678952CCFF73
                                                                              SHA-512:DE05E6DA8E59EC0AA381030A9FAF9A9E07BA7AA647DE9D3C64C116646D388B1BE20A884DF6709ED64AFB59D4CA7AB1D40AD1964C62FF164FFBEB7893F61C69C8
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1827880
                                                                              Entropy (8bit):6.5407573599295254
                                                                              Encrypted:false
                                                                              SSDEEP:24576:bhDdVrQwm5ztlU0A7fMAHmpmZ3QXE/0/lVaLpmaSGv3I:bhDdVrQ95RW0Y9HyWQXE/09ValqGg
                                                                              MD5:0A2DF5817ECFB6C13DD006396EC483FF
                                                                              SHA1:5A680A5626E4A8A72B7C4F60D75236E7714B6A6D
                                                                              SHA-256:CE97125CBEEADED7382FAB1E4EA4F44BD14CD4125D0872032FF0D70A40B807E8
                                                                              SHA-512:73342DB5F0DE436039A24A7BD75ECEAC071B46AC816534F7465278CD47D62A3FB38E8AEADA78C9727F8434C92A96DDE81EC9711A6BD90020FEBA39BE705C07CB
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1297448
                                                                              Entropy (8bit):6.514829630269744
                                                                              Encrypted:false
                                                                              SSDEEP:12288:bdoA0Eh2XptoQZRuefMYR6RrAJU9CsxmMocSipEylqFfousMA+nkzddSDCDIq:b70E0ZCQZMip6Rrt9RoctGf4dd7
                                                                              MD5:2C299EBC50A9C606FB56C150D272AB6E
                                                                              SHA1:2A3171FDD0043622013E1AAA856411285DD1E0A9
                                                                              SHA-256:CB02DD09C8F959D4F87C3DA73431E72BC1179F630926592DFFDB6B01DE676130
                                                                              SHA-512:C6ABE668C5E6486F7FAB0EAA6CAE5E616829D57FE05EBCBA1155BC98602D94031B1C2544DBFC1DAAB87971F45D6BF7A0636DAA54C5797C0B6995DA034C6D1A4B
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4251688
                                                                              Entropy (8bit):6.506601585747478
                                                                              Encrypted:false
                                                                              SSDEEP:49152:vpawZh+vD5oLv9eqJ/iUPnspBu/MLPgyLMLQB4gQDyJ0ryMOAqk9k3hO2y/BG:EehFLvTQDpB5oSOmlWs
                                                                              MD5:2D1AFD81B69BDB71E8752FBA29DBEFF7
                                                                              SHA1:5ACE2DF88FD36BA3B059E9DD843E56FDDDBC43E3
                                                                              SHA-256:913C4E2D675E4141241D736F7EE4579768AA92BAEED7AFF2599665810EA07A93
                                                                              SHA-512:5CFC7635760A2DC46F377BD577BEB10762EEB02959F869360F690471E6C2CA925F00CC22FAE8330380F656E15091081138582352F2A2FFE6CCD5DD6433030458
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_proxy.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1319888
                                                                              Entropy (8bit):6.504468342684673
                                                                              Encrypted:false
                                                                              SSDEEP:12288:gyeb4D2VLtrQA1Yim7XGLZxHwlqxlThfkY8bo0cITiLEpPoVKMA+nkDhF242oz5:giD2VmA1YXQHwlklb8boUuWPN24Z
                                                                              MD5:2A860E6C0769147E3B8D3334220CB3CF
                                                                              SHA1:132FD725E8DB41D80BF8F80AC88ED711A69985B7
                                                                              SHA-256:179F9F3EED6CA07120C5F0C23B27CD78E4FBF47ACBE5F94A6F5D3474EA97B6DD
                                                                              SHA-512:2F6E05C35939BB827B0C55335BF34252539BBA694CB39A282DC698C47C3FFEC095984C0341C991F7C1C7DA4667F8678D4BECEF1CF4F387D8C79749E7536EF89C
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_pwa_launcher.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):2327080
                                                                              Entropy (8bit):6.531427859835536
                                                                              Encrypted:false
                                                                              SSDEEP:24576:+fD3zcv9ZhsSGSQoryOzozU63IqRNhB0kDKPzkkkkkkk+oIeA+:+fD3zO9ZhBGlopzM3HRNr0T+
                                                                              MD5:F345610CFA0F124DB4EACE9B5E5DA7FC
                                                                              SHA1:7ED5AAF590BA295CB47A9B7578C9B4E503B99724
                                                                              SHA-256:5614DE715D8D354214710B6A2FCDD7D800DDC5929316494AC5F6A891752D6E7F
                                                                              SHA-512:BD96F81193F3D66E220AAF7FF07EF533A01E6F2446E43EC11C30D0A839BF447CDAC70E3E3E1979055F2C2C376633B2548FBF495BCCE8D0A57CDA0EA92F12CAF3
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedgewebview2.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3790784
                                                                              Entropy (8bit):6.53787335939445
                                                                              Encrypted:false
                                                                              SSDEEP:49152:OTaRe7mkn5KLvD5qGVC008Jpb4tgLUgGEsLABD5wTQh07yrLMLl952hS:hI72LvkrCpbxJRoIMP
                                                                              MD5:6D59D0101B966959D2CA6D9DE5CD18FF
                                                                              SHA1:82F49FD714143AF53BBEF485CC8FAE0B61DF33B7
                                                                              SHA-256:89E9B10249006F9D1E3C1545364C05D958202612D32D5AF1E3B5FD3FCA2A19B5
                                                                              SHA-512:010405526F02EA57CD4DBF57DEE3FD65496CE78B8F61E0676D4B81A8C721D09FCA3F19FA4AC76223AA673A54164BF4D97F202D7A18EB24949AD2012982696979
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1535544
                                                                              Entropy (8bit):6.517950188129204
                                                                              Encrypted:false
                                                                              SSDEEP:12288:q406WoyJHeFOqDRA7uKk+TjnkgiMnQq+UI7MBImQWkv7yfOYIXbwomMA+nkVZnHt:rW9Jml9mmijZiMnF+ZxmQWcbLwlVN
                                                                              MD5:E8CC4E4F901E983E0BD3F5AFB0E0B317
                                                                              SHA1:EECA8C668CC4A272D3930F5E157D8EC559986EEF
                                                                              SHA-256:ADBEB820AD1248B1BF317E66D3CD47F0581333ACAFF9FB71208BB98D10F0F70C
                                                                              SHA-512:AE719A867885D5B534F4F373096BDA4EA67F2BB1B153D8D900116C4DD3CA31427E0FA01792492A9418131EF8D859837BEC97280E74A103C459ED08793ADF34A3
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\pwahelper.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1273400
                                                                              Entropy (8bit):6.516132050961381
                                                                              Encrypted:false
                                                                              SSDEEP:12288:C5eN+kL3gVeYt/uakJMtleRO40BbdJrPVJAzAlPY6mYzJuomPMA+nkIogjkd9:CwNHwoYhua6MtERO4qbBJTY6mY1u9gK
                                                                              MD5:5004BCCA237116BD2D00C8EDFD68D420
                                                                              SHA1:067792234F129A179AE9C8BC0C4DC7F1519862D9
                                                                              SHA-256:7D2270C167403F984DD601BA21E9CF228BE8D2F156A33CAD14529E477C90227F
                                                                              SHA-512:B04847858876A4A10AC01FC6CC78BFD1939F4D535460DE57498806E8DFE9CC8A5AB445D3D632BAECB6A9C2270C6D983833BF8BFBF4D59813CDF2CF28AE1DCFDC
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4251688
                                                                              Entropy (8bit):6.506601585747478
                                                                              Encrypted:false
                                                                              SSDEEP:49152:vpawZh+vD5oLv9eqJ/iUPnspBu/MLPgyLMLQB4gQDyJ0ryMOAqk9k3hO2y/BG:EehFLvTQDpB5oSOmlWs
                                                                              MD5:2D1AFD81B69BDB71E8752FBA29DBEFF7
                                                                              SHA1:5ACE2DF88FD36BA3B059E9DD843E56FDDDBC43E3
                                                                              SHA-256:913C4E2D675E4141241D736F7EE4579768AA92BAEED7AFF2599665810EA07A93
                                                                              SHA-512:5CFC7635760A2DC46F377BD577BEB10762EEB02959F869360F690471E6C2CA925F00CC22FAE8330380F656E15091081138582352F2A2FFE6CCD5DD6433030458
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1319888
                                                                              Entropy (8bit):6.504468342684673
                                                                              Encrypted:false
                                                                              SSDEEP:12288:gyeb4D2VLtrQA1Yim7XGLZxHwlqxlThfkY8bo0cITiLEpPoVKMA+nkDhF242oz5:giD2VmA1YXQHwlklb8boUuWPN24Z
                                                                              MD5:2A860E6C0769147E3B8D3334220CB3CF
                                                                              SHA1:132FD725E8DB41D80BF8F80AC88ED711A69985B7
                                                                              SHA-256:179F9F3EED6CA07120C5F0C23B27CD78E4FBF47ACBE5F94A6F5D3474EA97B6DD
                                                                              SHA-512:2F6E05C35939BB827B0C55335BF34252539BBA694CB39A282DC698C47C3FFEC095984C0341C991F7C1C7DA4667F8678D4BECEF1CF4F387D8C79749E7536EF89C
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1273400
                                                                              Entropy (8bit):6.516132050961381
                                                                              Encrypted:false
                                                                              SSDEEP:12288:C5eN+kL3gVeYt/uakJMtleRO40BbdJrPVJAzAlPY6mYzJuomPMA+nkIogjkd9:CwNHwoYhua6MtERO4qbBJTY6mY1u9gK
                                                                              MD5:5004BCCA237116BD2D00C8EDFD68D420
                                                                              SHA1:067792234F129A179AE9C8BC0C4DC7F1519862D9
                                                                              SHA-256:7D2270C167403F984DD601BA21E9CF228BE8D2F156A33CAD14529E477C90227F
                                                                              SHA-512:B04847858876A4A10AC01FC6CC78BFD1939F4D535460DE57498806E8DFE9CC8A5AB445D3D632BAECB6A9C2270C6D983833BF8BFBF4D59813CDF2CF28AE1DCFDC
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):225232
                                                                              Entropy (8bit):5.921842033117269
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CPcxiNNpCPPQPg2cluc/Xswbz8cz3quKoNX1gd:k9PcwVz4B8c37KoNX1q
                                                                              MD5:C0877D9CC17715787EC3329EB0FAD7C1
                                                                              SHA1:E51DA518D764E4982471BE235E096A8D11217A56
                                                                              SHA-256:17C75E1739499E52B56470EED4C924379065703E8C665E449882E02856F96205
                                                                              SHA-512:EE748102A0C002B25989E073585DD7A611A64E85CB0C57CBD6592733A038BC8EEDBCB8F917BBBED02D7759C5621F5B6B03A587B317FD13A4014CF113C4FC4C57
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):247760
                                                                              Entropy (8bit):5.770986149607887
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CKW4l/DReos0gXf+EvC6C36eCWdMuoB+ISzBqUGxNtvKAbFP3cSEt0phcxAe:k9wl/DRfkTC3dM7B+mCivAT
                                                                              MD5:86242784CC98EBA7A0B0A1833901F76A
                                                                              SHA1:19178197143972E718023C5EA70F631971A4BC2D
                                                                              SHA-256:AB99BD10F6FB73856BAF95E9D4AC0434DF660B74388E53206955B9B512F3350D
                                                                              SHA-512:2AFEB5CAF7728E2EBD04D3BF42AD55AAC759CAA453FFDF6BAF0D8E7095782F90E165E3009ED619A7E8A3E62638C12D8C67016092972E193215DF9A3422ECB589
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):142288
                                                                              Entropy (8bit):6.426113960826444
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85Cy684ePKoTB+IvoAewtxUff8aohGme+YDfYz8FrR7:k9yrTB+AleYIkifYUF
                                                                              MD5:9AD6CF45A4476B8A6AFC310D5E410235
                                                                              SHA1:07A614202F584361E48471CB3DBDB3FCD24E47FF
                                                                              SHA-256:1655811CC8A1E4BC12127B20600F93AB3DE3CC467CED76ED99C04C83FF15763C
                                                                              SHA-512:2737F8675AC768EDEA72CDF6F42579F1FC1ADE43122AFEE8971801ECB2F2E93DD10815DA419328D3BE26FEC7C633F881027BFF088877FF9F80BE96D5C106AABE
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):259024
                                                                              Entropy (8bit):6.0902993716555995
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85C5XEV0tle+5IbvBCMmNginHy8lZoY46Mu/rLogrlKq9YXI35EvMl:k95UVwleMITTmNv1ohWsqYI354I
                                                                              MD5:628F406DFCBB08B84171E530D77B3C9E
                                                                              SHA1:0A22B2ECAB9EAD7F1D399773BD1BB1FC359EB708
                                                                              SHA-256:482D936CBBF75D3C6248BFCE1B6E5546AB79DE4D4A715490F62CF8674517AF64
                                                                              SHA-512:B9A97C76AA2A38273835DEC7C0A9E91C668038C5BC422BD92654C259865680F92B841115C92529A1AFC50E70CC358FDEB2981C8AE43852C6EE090A3AFF92AA6D
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):305120
                                                                              Entropy (8bit):6.414707301174103
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k98FKucTm3RhMfoSG5dCd7hjAOe9UmXY2Gh++CgBlPMoX:XKucTm3RhMfoSBjA9U2Yxh+Zgb7X
                                                                              MD5:9938BDFE29D3CFAC8D713DFD743243B8
                                                                              SHA1:68CC77B8F114F34BE1A4A263D7F8736E857BBD12
                                                                              SHA-256:9204357B6EB1CB6459E2B0B67FC95E3A80D90781E0C7F97D7294FB6563B20CF1
                                                                              SHA-512:4F0C37C0BC405B483D11A80C5A23C1094ACB9E9CA48DDACC662E989AA21E301940018C08B5A861B482A06AFF2EA8AC9AAD0C8ABAB7E15628348764E779D306E4
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):142288
                                                                              Entropy (8bit):6.426793148875817
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CtaivqozB+IvcZ4wrZU+l/8xoAm2+YDfYz8GrR/:k9FzB+Aw4CZNr2fYLl
                                                                              MD5:2AFBE95A5B1815B2E957E569D2CEF5C4
                                                                              SHA1:BD94E512E4EBBFA8D7BA255E66015DB721CA4801
                                                                              SHA-256:B5385EBBA1FA3E8E1288780A37ADCFE065EC02C764BC539F60CF0BBC2949BAE6
                                                                              SHA-512:0BD007F304E27149CC134004BC51ABD86AD3A701F72DDCD0A121399A73FFAC72061A6B027477DDCD29464C7F50232F7197DF5BA5A8432F051D40FAC225512951
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1640416
                                                                              Entropy (8bit):7.912831259553018
                                                                              Encrypted:false
                                                                              SSDEEP:24576:1wy53G70SeiN9YqxCCg83udcWXDYajPF2410wuRpGfFki94qSe/wsNfzUG:6y53w24gQu3TPZ2psFkiSqwozX
                                                                              MD5:DCC61986BC0A26675681559C484E15FB
                                                                              SHA1:6F413F9D4A2B64A6F9DCA21B9310EBFF186D6E16
                                                                              SHA-256:A341E8D1C1BA0A82635135A5A24089C3EA484066B02E28B1CAFCEB1628BF53EB
                                                                              SHA-512:2C93519CBBE6B0AFAE36A696EDC6C33A25808D562A286BA278DB0418440BA4DE7B27823F13114581D3F2C830BB3261D634622CDB4053EA28EBD4BCFF3216CFAE
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):144866
                                                                              Entropy (8bit):6.240317481153233
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CORD5b0qZ7y4jem7y6tkNRCywDw1DiJkuKUY:k9UD5lZ7y4j9KT4DteUY
                                                                              MD5:6A1BE74AD1EE28433BF1549DFA813DC9
                                                                              SHA1:A4BBC87890CA7463AEC75B963291A69B65390653
                                                                              SHA-256:BC21B225F668AE2C3B8439ADB91969D39F711E9D57B557AD79FAD8FD8AEB2085
                                                                              SHA-512:8A0033D4D5B82856CE0826B9DD90B792BF9E9641463DAC1DAE83ED6E3F18F384AB6CC5E0998615A8DCE5BD6CD360E17BCE85C1FF8AA45B08A95383D89D228B0B
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):280480
                                                                              Entropy (8bit):6.386490869107258
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9wPr2vXzrEbslNp/JNsJKQl0GkRAqVNf0O3:/DQXRVTZu0GP+ZR
                                                                              MD5:F7B6F7CA5E4D9AD2DD9B1887D57CFF86
                                                                              SHA1:2E0494EF5F5603FCBB0F12F593F3F401930C2FDF
                                                                              SHA-256:26EB1DC3EBA8950CF5D8663EE94CA6105BE1227DD239B81FF571B4372D49D320
                                                                              SHA-512:181262E06BE2C01A7BDFCD4DEA634D71FD39D795339FA6A3FB327FE7E75BBB12C0B5AFC1E8811DDACA14654268D0D26E828BE1AE475B05503626684AF7190009
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4473576
                                                                              Entropy (8bit):6.569965325360163
                                                                              Encrypted:false
                                                                              SSDEEP:98304:pkkCqyDEY7+o3OBvfGVY+40yajyS+9s/pLOq:pkkCqaE68eV+0y8E6L1
                                                                              MD5:809D03153D2FCC1C9E1EE574DDF7CD2E
                                                                              SHA1:CF1FC95A34AFC5A2FB39504D973BC8380A04BAC1
                                                                              SHA-256:C2A715F1396DCDAA9360FB09B89992EE8619362062DFBD6C90CFF751C5272032
                                                                              SHA-512:094FE1BC30027336DFE6A32520DB39D8D27AD1A69716E7E00D6B66D44CFB4EAADBD8D48B6D80BC0D00C60EF0E3483437C82D2185BD704137CB544B11063820DA
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):501656
                                                                              Entropy (8bit):6.318829677338838
                                                                              Encrypted:false
                                                                              SSDEEP:12288:yLH18t6x1hjaNHBlfBVDZS82JninSFVlDW:yLOwxyNHBVEHRiSFVlDW
                                                                              MD5:9FB296CF47C4D3E0FEF4974685EBE922
                                                                              SHA1:201293BEEB98FB83D118323C4803590E8C88E060
                                                                              SHA-256:5E21FE2FE640F209EB75B696C3334E577D2035436206C88C1F2E676CF560B75F
                                                                              SHA-512:CA9999251A1905BCA32D46857BD1213D37F2D33689E4D818FC006B88B84AA49AD9DB07B0C4D33361EFC0BFC697F705AEAF90D762C6CFAB3C9A9644BA73D750E3
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1637776
                                                                              Entropy (8bit):6.316717941409346
                                                                              Encrypted:false
                                                                              SSDEEP:24576:P7Z1jyzcKSmKsvwMZJ1XBsn/gu2bRC6dulyyn2WdXM6cWlLIJ:zZ1tKTwMZJ1XBsn/UC6dugWA
                                                                              MD5:987399D498F6C2C7196A60504DCBA1F6
                                                                              SHA1:7A48D6492B9BB936EABAA4C979BD25F87AB3F9B7
                                                                              SHA-256:9F924F7B9B84FBB73E29C707D1C1D61AC00A3AB295BF1BA9754E2189D6E4BC24
                                                                              SHA-512:DE1F5790664A48EE5001541BAE7727431467A65B54EFB43412B1EB474DF6477110E98B8DA1168478B0CED1FA8DDBF69FE7BA209F69FDF9BB58F964A514B12E36
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):224632
                                                                              Entropy (8bit):5.625757771676373
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CBFtCsHjgU7HOg6KTe/+EypudsD22QnSUEhydebz41:k9Ttx0SA+EySaQKeUz41
                                                                              MD5:0FD839CB7D94AF1C672BA149E6C580A8
                                                                              SHA1:12CB0350EC3AEFBC189A117621DBFDCE5DBB6E86
                                                                              SHA-256:E033F780C0F8E58FD81724A1B5B02CCFFF788553B2F5308E4EB46DB37E30F9F4
                                                                              SHA-512:F54057339522E8B1C30550BCCB56B420894FEF6B51F53709A88105362AD09F5A83FC1478BF8D7CD7A0B48D56BE5DCEB8597B71B989743133B2954DEA0E364A41
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):431336
                                                                              Entropy (8bit):5.904107554819713
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9GzBRUKCBTwZVr2miTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVLVV+:/zBRnCBOrsBOBf
                                                                              MD5:641CC24F3AFB9E381161F17600323269
                                                                              SHA1:0A390D9A57B534A9A1C0CC441D9CBD9998608140
                                                                              SHA-256:8B5A689B0DB4EFE44C0601A89E97BA126F1E4EA943621B8EE444ED85EEA50CAA
                                                                              SHA-512:67BDB822FE0F484E60B7FA0944A4123D68C1F8B94E70D51F5F336C312F409CF7098EEB828D1A7A13138C7833A3689A7D226D909B1AAA3800EF491D88C39CBB03
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):175160
                                                                              Entropy (8bit):5.997921392487593
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CE/VpSIcnsHKTe8LnZCA5OfkQAm95kQOJeqx6u:k9EtkIpdA5OfzDUeqx6u
                                                                              MD5:707EB4DC866F98B2701F57899DC19D51
                                                                              SHA1:59F9AA5CCB0EE3276F74C23ADD327342EF5B10AE
                                                                              SHA-256:F7DE47E26A16EB2459CD7FDC979BD30D0B50089D39433399EDA465023A0BD0BD
                                                                              SHA-512:C95D902254391B0D3ABD3A07930701E173808413E1F32BA1084F04EB5678EBC87ACAC2EA4BB6B26FE0550D78525EA3F54683FB9567A995B1318B5D9340E514FD
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3162480
                                                                              Entropy (8bit):6.46880916383348
                                                                              Encrypted:false
                                                                              SSDEEP:49152:znW4jqFRZega3xejvY7GQOx4K1fm15FKqO7t78Ity6fod76lmlW8U:ys3OBj4UmOH
                                                                              MD5:EAB4618E120B951B8FADB9965EF352D7
                                                                              SHA1:C706F3479276CE840541862BBBD2C1530362BA03
                                                                              SHA-256:7D252BE50728CA3389124956E16D41F0AD14BB8C6F08D768F8A6555E25EA0F47
                                                                              SHA-512:8F69D95D0D39C8566F3EB1D456AE98285D36852278F474CAC382BF37FCB70714B4747F1984874A16B4850678C93C5170CF37E3A19E2EB89FC5881F00B9E527F2
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1309408
                                                                              Entropy (8bit):6.496342895106016
                                                                              Encrypted:false
                                                                              SSDEEP:24576:5+sGOL9NLM3r4Viwj6KLqGua43loEeUFmwv:54AA4eGua43lgUFrv
                                                                              MD5:B39DF380C20D63215708AA6263BE495F
                                                                              SHA1:4CE3BE7169E222E787A3E8238D53C32324981894
                                                                              SHA-256:36728B9A21D2A5927D9B4F5C02C0F5899DFB80ABD01F371342510DBBACFE2BCA
                                                                              SHA-512:42B087413B27B741EB2470A6C7F64571542B20AA43C5B29A43C290A3E83960DAEA82974F6C187DA70655B175D5FFBA3FF04608CF54F8832DB7ED2DA715DCACD6
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):922944
                                                                              Entropy (8bit):6.462019359288523
                                                                              Encrypted:false
                                                                              SSDEEP:12288:V9/Bro8OEYbhEdbsrg4Sxz2/Sl92ncG15fQ224i5pQ+poPCcqyt4:L/BrnYuqFcL3pQ+pDX
                                                                              MD5:A4A4D70FB8EFBD8702F5F5CA3F2225B7
                                                                              SHA1:3AB16972E6ECEE5162F4264AAB2B78AE5A6D9AFA
                                                                              SHA-256:C8D5E992C3F31B60874957E81FC5C419F569CBC8FC3EF57F84F42F7E742C9EEF
                                                                              SHA-512:92E72BCB8526AA833D6A8E5E77994C15ADABC50F8742C5075532FE281DD4F309827584868F0F19E659E90B4EAEB520F80EAB3116A14D6546DCC85973A638CEA8
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):501544
                                                                              Entropy (8bit):6.318210992294509
                                                                              Encrypted:false
                                                                              SSDEEP:12288:yLH18t6x1hjaNHBlfBVDZS82Jn8YSFVhwDW:yLOwxyNHBVEHR8xFVhwDW
                                                                              MD5:AED258F1B9A23FDB9CC5E4485138E644
                                                                              SHA1:EAE5C3DB91C7DDF0B773CA86D0596D05687E0C93
                                                                              SHA-256:615D5E9AF84BA2817673B9CF42EC923DDAA24EB351AF72C8F0521CCFBC823F99
                                                                              SHA-512:65B31506659AEF8E650E19EAB25EC0772901650D0376A76EE259FB045F4FE943D583EB70FA9F844A9792968A4902B3D1E65426333B5DEB8AC7E625C822C74E99
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1637776
                                                                              Entropy (8bit):6.3167820027975505
                                                                              Encrypted:false
                                                                              SSDEEP:24576:PzZzKrsdCmasrf9Xr5wzW27+w3E4nZ1jDkCZTunfmrd/Mq8pqiV+yeci+HMJ:7Z5d3f9Xr5wzW2x3E4vDkCZTEJ+3
                                                                              MD5:7001415B4FEAD5C33EC776F878BEFC14
                                                                              SHA1:9D27556E97A7CAE67486D6F3FD57530274227E84
                                                                              SHA-256:3C65FA71938F8F8AAEF99B20567427A50E2081B52B01799E6DE0922E577A4F09
                                                                              SHA-512:83A26C44B7E7F2E2F28F57D39EC624F9F56C19EB38121A8AEF6B279852746831466D76CA16B93EB0979B8FB4EF5FD93A74F411F25EB9EF2127EDC376365895E9
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):224632
                                                                              Entropy (8bit):5.625443062700148
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CJNzQsUdR7ROPHKTeA+EyBEBsLj6mCv0MC+8w+l+jDYgb:k9jzrUdH7+Ey6yxCyncDYgb
                                                                              MD5:6E3952F20879578A8938CDACB7536183
                                                                              SHA1:983C0C98D8E38CB7D3E461370320B3B31258439E
                                                                              SHA-256:2689FF014A00F6110EACAF335538BC57AE4DB0681C9C0B3E5B0F3DAD33EF0011
                                                                              SHA-512:98B18D03FC15933A1FB4E9EB6965E5BAEE9BD2376D3F3A30D5900CD309DAB041FBE1D99716C086D3ABC3F8277D7E12DC8E6B5378E3C92B7633982672EDF2CDD3
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1922888
                                                                              Entropy (8bit):6.54227144741344
                                                                              Encrypted:false
                                                                              SSDEEP:49152:txzduwxBjJMXDUlxqK/PDLWf+kfilcOk+4AgAQx:JuADax
                                                                              MD5:6EAF653BEC36CC61FFAAA74C2461CAE2
                                                                              SHA1:FBDDB56574DE87B9BC9D2A23BF4FFAC80020C313
                                                                              SHA-256:80056A156E3C10D8B335E1AA5D0B9F3B426CF7698B120A7CB593A745C40B0D78
                                                                              SHA-512:A6121E79CC254EC625590C81AF2281A2C1C591AD751690D8F2A68055B77E3ED0866E1166126453F218F5C45423F5059379BC0487A756E5299D72E87EEF7C2B53
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):431256
                                                                              Entropy (8bit):5.903632333497157
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9mDBRMKC2DARcy85smiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVL3:/DBRPC23DWqOhf
                                                                              MD5:05E8468F3C11C655FA5C0393FC91B745
                                                                              SHA1:3C41A0398A82AC6C949DFE0F5A444C47AE05B9E5
                                                                              SHA-256:659B9F92E7340FA757458CF6E4C4EED5EF8680C5C203D1BC9C7C5BF44CAE2BE2
                                                                              SHA-512:C762C38321BC4B12EF0CDD9BC51B2B8D2C3B817B62D5F27ADF0A5CFC26A3AC846A2CACD27668AD9997F30BA795668820CA948D54037DD2918B27A6584BB4B8CA
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):175056
                                                                              Entropy (8bit):6.000125322491865
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85CLBGrjhgGcKTeA4yJjAYykykBdg+FoQOJb/B1a:k9LgfhFAYykySfUb/B1a
                                                                              MD5:122C5EEF72C8E9945312BCC27CDFA1C2
                                                                              SHA1:073B5DBC1755095FE4A2037B9B3B63D153113156
                                                                              SHA-256:8A8EC674356DABE752037E162860B7A4FAB54635DAF6A1E112FC1894B72BABBE
                                                                              SHA-512:64F0B2AA151D83E51D754345EB149B209AD3741699E7272351D6711D4419ECEB14A2A9667479735F082D167373B9DF154460E92B7870FD2F9F6A0CA180F20BBD
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3158376
                                                                              Entropy (8bit):6.464089113147873
                                                                              Encrypted:false
                                                                              SSDEEP:49152:Y7Inw/bT9uzlAndnpufoDbRwU/xv3lNOsWReEQZeEO1QOiPQOo4r+U:8/VmUAYrj
                                                                              MD5:90F78071E0C92AADC17864CB0C11ED36
                                                                              SHA1:406DBDF1785C49037A1729432A30FE2753EF3662
                                                                              SHA-256:16CDB9A6B078E8F3655310B3DF161BB481DFD041BE65B3F302C823F699925431
                                                                              SHA-512:869AE6FA1F7A167A21A21277423A054CF1995377A7B4FA6C5E7C58DFA9D07EC46DEC7C9B8B74515CB0C6FE392449DCA836A05F2541F5844E0E2754D4A9C9FD07
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1309536
                                                                              Entropy (8bit):6.495307594774125
                                                                              Encrypted:false
                                                                              SSDEEP:24576:zvbIUnHtg+i54V0tqDNbu5kDIPQy+NTD4XnFzr:zzXzdMkDIPQy+Nv4Vr
                                                                              MD5:56C6D475B98686A5C3C848B232662383
                                                                              SHA1:23C37E7B08D8B644CA18688643A3867CFAB64B64
                                                                              SHA-256:561F20A7B1FD4E51894C8DEF981DADA325A54C0AB355CE28E858BE06FE6C0526
                                                                              SHA-512:92DCD39C7D6ADB080714547D8E80CC0D6B7269B86457617999FEB06A7C8B2D6FD62F4D461CCA991298FA4EC66D2E85F41E31A2E748AD98E5841F79A64F00E03A
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):922960
                                                                              Entropy (8bit):6.4621080170674
                                                                              Encrypted:false
                                                                              SSDEEP:12288:V9/Bro8OEYbhEdbsrg4Sxz2/Sl92ncG15fQ224i5pQ+pouCcqC7D4:L/BrnYuqFcL3pQ+pYmE
                                                                              MD5:A7CD28CC20BCFBF2AB1B81FE970DFABF
                                                                              SHA1:3C0D0B85304CA47F87480DD8AB0C42838A438509
                                                                              SHA-256:CFDBEC3C2769A41631B4B1310C46A1CE5BBDE097592E52266F94425DFDE52EE2
                                                                              SHA-512:AAEA29865EE94F5AEB7D013DE499B7813FBC31D9501AEEE6A16CDF60D1BD8DD2F59C9D650302F79CB85C9DDE721A776EB189759A1F3B4ABEAEFA78E261E59790
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):692064
                                                                              Entropy (8bit):7.195091714831986
                                                                              Encrypted:false
                                                                              SSDEEP:12288:kskY7gjcjhVIEhqgM7bWvcsi6aVUfIy+U40vy3W/ceKSHMsiFyY6XNmnMwJ:ksZgjS1hqgSC/izkfFjymk4HM5yJwMK
                                                                              MD5:2BBCB1E61E3B17B7F89D97FA21A3881D
                                                                              SHA1:C90D9A55FFB5BD4FC7318B542DDE1F72A2341334
                                                                              SHA-256:A2606AED76695606C291929D55A32A5CE51A9981A1471E24A2F33FCC5B97037F
                                                                              SHA-512:657172F611FD934DA6DC59544043EF046948DC6052CFDA142008CB342E7264FC0701D7160B3D2774DA63B4354E9B967480FF0007A30DF9D83088842222C0A8B3
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):2376252
                                                                              Entropy (8bit):6.5144370149070685
                                                                              Encrypted:false
                                                                              SSDEEP:24576:YFbkIsaPiXSVnC7Yp9zkNmZG8RRln4yz1Iila8CUpDPkebAeppIg1QR0zKWs6c8u:YREXSVMDi3C0aFUF/pRzK9ihFlkZ
                                                                              MD5:3661801094ECE049030D74F100A62A7D
                                                                              SHA1:BE2AD7CB68F836ED2EB7904D84A736B7BDFFF46F
                                                                              SHA-256:432EA6299E26471CC3F16EBE28BC694E45AFD3D85F11AC5BD5395CB2F951D3BF
                                                                              SHA-512:72659287E7FC1C22CE7A3D7E8BAE4121395CD32F1553069FADB2C80BADEA58A5EC80A18A5915BA38858BDF829524748BDF5EACDF2F289565DBD60A26F50757BB
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\chrome.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):182272
                                                                              Entropy (8bit):6.784375621590053
                                                                              Encrypted:false
                                                                              SSDEEP:3072:sr85C/sWLuzeHpl18fCtnRPF9EVnb43jaI5gr/uHqZLWfp2KkvL5kdnQB:k9/9mCtnRPF9cCGr/uH0gkSdQB
                                                                              MD5:73F73E565BCCA28C58B8CD91DC1056AD
                                                                              SHA1:AB7B58E90994D016DFD7937556FDEA6FE13ABA22
                                                                              SHA-256:A0AC3CF26C12A9727FE6986DB32F255CBBCD6E45B063022E79C74DBD3787546C
                                                                              SHA-512:460230C3F943A4626BFF45040B26D0C542140DD7EED6F58FF0D9412125359219DAE252080ACF27A2DAC15AC6C9FE4A32277D185D727841D0B719DF4D3356225E
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Users\user\AppData\Local\Temp\chrome.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Users\user\AppData\Local\Temp\chrome.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\look2.exe

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):387072
                                                                              Entropy (8bit):6.35762425937126
                                                                              Encrypted:false
                                                                              SSDEEP:6144:k9kcHnNmZEvB7csAPRZyfQjCfA3lMXm4Y+5bFnWBFopJOUAkIXw5:iNmZEvJcscRZzjCI1O5WyIXw5
                                                                              MD5:A52E0CA23BB3A960797A301B894A5812
                                                                              SHA1:D7505B002EEB3893B4D118213422697D6EC2C18F
                                                                              SHA-256:09D437A03B35F51F39AB5FF847FAB1E8213E444E6C2E3547B58424FECD96E1C9
                                                                              SHA-512:FE109648CEBDB1909CBDF87A118C170BF7907E1172F43D02F75535F02443D8C979869505AF99EF26DF52CA1EE841FE2BFA4E7BC053CA889F156E0653C4927D04
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Users\user\AppData\Local\Temp\look2.exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: C:\Users\user\AppData\Local\Temp\look2.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Users\user\AppData\Local\Temp\look2.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Users\user\AppData\Local\Temp\look2.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Users\user\AppData\Local\Temp\look2.exe, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\tmp5023.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:OpenPGP Public Key
                                                                              Category:modified
                                                                              Size (bytes):8
                                                                              Entropy (8bit):3.0
                                                                              Encrypted:false
                                                                              SSDEEP:3:oqDk:zk
                                                                              MD5:528A8CF338C38893A7F0640087B7A656
                                                                              SHA1:11C6C220EF374ECFEF06EF4729469796EC0C3B7B
                                                                              SHA-256:7B3303A43F62B388FEF261EE79523681B78E61867E1A6F9CE5BACA78AED02B0D
                                                                              SHA-512:D38B004963AF063DFF5173C57F872675ADB831AA5F543AB2DAA554421D68C5889BA37F506EB992C9B7700D704AC2C78D7C98374BBE9760EFFCEAE1ACDBEFB9A2
                                                                              Malicious:false
                                                                              Preview:.~.N..&A

                                                                              C:\Windows\SysWOW64\4958812.bat

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\look2.exe
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):52224
                                                                              Entropy (8bit):6.275160102765287
                                                                              Encrypted:false
                                                                              SSDEEP:1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoL4JYH5:1dWubF3n9S91BF3fbokJYH5
                                                                              MD5:3C55841A9576388E4103A34F8232929C
                                                                              SHA1:25191E4F5631032779C2235C18A1D102786F8863
                                                                              SHA-256:F5C00D46F8F94EF467E57FFEC059A0085D013CC578C55712F5A3EB985F77041C
                                                                              SHA-512:568AA9779A771C8ECD3F3D47E44DB62AB691C750114EB0933093DD531635F36D03902BF49D51371CAA0A7A89436079955123DAC2B423F9AA1FE937FCB00B7576
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: C:\Windows\SysWOW64\4958812.bat, Author: Joe Security
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5.>.Tom.Tom.Tom.Hcm.Tom3[0m.Tom.Kdm.TomsHam.Tom.Kem.Tom.Kkm.Tom.rdm.Tom.rkm.Tom.Tom.Tom.Tnm.Tom3[2m.Tom.Kdm.Tom7Rim.Tom.Kkm.TomRich.Tom........PE..L.....i`...........!.........J......(...............................................................................P.......`...........@.......................(....................................................... ............................text............................... ..`.rdata..............................@..@.data....!..........................@....rsrc...@...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Windows\SysWOW64\ini.ini

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\look2.exe
                                                                              File Type:ISO-8859 text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):42
                                                                              Entropy (8bit):4.558518613048907
                                                                              Encrypted:false
                                                                              SSDEEP:3:oVXR6vclvibAFv:o9eclv/v
                                                                              MD5:A8029E227D4D16C9E01471E27CCBEF38
                                                                              SHA1:3842B1434BD3281C9CAA53379C7E123745F6A75E
                                                                              SHA-256:29CD6175628206697C057115DDA45DB24F6B12BF18023105CE44350B2849B1B6
                                                                              SHA-512:67C1FE3E9F652561129CAD8DADAB59C3B5DA2A809895DE65A7A80EF5E455AFDD7DEBB1CB2B4C2E6B9B0B49BD884505361206B986DB86EC6CD94BE137489460B2
                                                                              Malicious:false
                                                                              Preview:[2024-11-21 03:40]..Group=...1..Remark=..

                                                                              C:\Windows\SysWOW64\svchcst.exe

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\svchost.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):61440
                                                                              Entropy (8bit):6.199746098562656
                                                                              Encrypted:false
                                                                              SSDEEP:1536:H9ykYCTdiHQKrFXmw2RQln5IUmDjoX6+:HlMHprF2nRQln5I
                                                                              MD5:889B99C52A60DD49227C5E485A016679
                                                                              SHA1:8FA889E456AA646A4D0A4349977430CE5FA5E2D7
                                                                              SHA-256:6CBE0E1F046B13B29BFA26F8B368281D2DDA7EB9B718651D5856F22CC3E02910
                                                                              SHA-512:08933106EAF338DD119C45CBF1F83E723AFF77CC0F8D3FC84E36253B1EB31557A54211D1D5D1CB58958188E32064D451F6C66A24B3963CCCD3DE07299AB90641
                                                                              Malicious:false
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.....^...^...^.pb^...^.c._...^.c._...^...^c..^.c._...^.c._...^.c._...^.c.^...^.c._...^Rich...^........PE..L...9..j.................b...........a............@..........................@............@.............................................hg...................0..........T........................... ........................m..`....................text...La.......b.................. ..`.data................f..............@....idata...............h..............@..@.didat...............~..............@....rsrc...hg.......h..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Windows\svchost.com

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):41472
                                                                              Entropy (8bit):6.0265295231535765
                                                                              Encrypted:false
                                                                              SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJ:JxqjQ+P04wsmJC
                                                                              MD5:7113991DE0E42B861AFA89DF1E379B51
                                                                              SHA1:5BD1DB370C34C21397E92DDD79363F4610559989
                                                                              SHA-256:F9A151FA306DB3554533DE055BB4EA96B951A43E9EBBC79EDDC2259EDB5DE864
                                                                              SHA-512:3FF080AA156879A4FB71EE54370C03F91D870016ACC8297C2B3A80A252623CB87AD14A611BD68EC40E42F687D43A8A274594009178146C9C29359B2DF1DD0F43
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Windows\svchost.com, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Windows\svchost.com, Author: ditekSHen
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Entropy (8bit):6.5144370149070685
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 96.71%
                                                                              • Win32 Executable Borland Delphi 6 (262906/60) 2.54%
                                                                              • InstallShield setup (43055/19) 0.42%
                                                                              • Win32 Executable Delphi generic (14689/80) 0.14%
                                                                              • Windows Screen Saver (13104/52) 0.13%
                                                                              File name:#U63d0#U53d6Proxy (1).exe
                                                                              File size:2'376'252 bytes
                                                                              MD5:3661801094ece049030d74f100a62a7d
                                                                              SHA1:be2ad7cb68f836ed2eb7904d84a736b7bdfff46f
                                                                              SHA256:432ea6299e26471cc3f16ebe28bc694e45afd3d85f11ac5bd5395cb2f951d3bf
                                                                              SHA512:72659287e7fc1c22ce7a3d7e8bae4121395cd32f1553069fadb2c80badea58a5ec80a18a5915ba38858bdf829524748bdf5eacdf2f289565dbd60a26f50757bb
                                                                              SSDEEP:24576:YFbkIsaPiXSVnC7Yp9zkNmZG8RRln4yz1Iila8CUpDPkebAeppIg1QR0zKWs6c8u:YREXSVMDi3C0aFUF/pRzK9ihFlkZ
                                                                              TLSH:6DB5BF43B981C0B2C509193189AB7B3ADA759F550E21CAD393ACFF2DAD32141DE37267
                                                                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                              File Icon

                                                                              Icon Hash:260606666666e414

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x4080e4
                                                                              Entrypoint Section:CODE
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                              DLL Characteristics:
                                                                              Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:9f4693fc0c511135129493f2161d1e86

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              push ebp
                                                                              mov ebp, esp
                                                                              add esp, FFFFFFE0h
                                                                              xor eax, eax
                                                                              mov dword ptr [ebp-20h], eax
                                                                              mov dword ptr [ebp-18h], eax
                                                                              mov dword ptr [ebp-1Ch], eax
                                                                              mov dword ptr [ebp-14h], eax
                                                                              mov eax, 00408054h
                                                                              call 00007F58D8F63707h
                                                                              xor eax, eax
                                                                              push ebp
                                                                              push 00408220h
                                                                              push dword ptr fs:[eax]
                                                                              mov dword ptr fs:[eax], esp
                                                                              mov eax, 004091A8h
                                                                              mov ecx, 0000000Bh
                                                                              mov edx, 0000000Bh
                                                                              call 00007F58D8F66851h
                                                                              mov eax, 004091B4h
                                                                              mov ecx, 00000009h
                                                                              mov edx, 00000009h
                                                                              call 00007F58D8F6683Dh
                                                                              mov eax, 004091C0h
                                                                              mov ecx, 00000003h
                                                                              mov edx, 00000003h
                                                                              call 00007F58D8F66829h
                                                                              mov eax, 004091DCh
                                                                              mov ecx, 00000003h
                                                                              mov edx, 00000003h
                                                                              call 00007F58D8F66815h
                                                                              mov eax, dword ptr [00409210h]
                                                                              mov ecx, 0000000Bh
                                                                              mov edx, 0000000Bh
                                                                              call 00007F58D8F66801h
                                                                              call 00007F58D8F66858h
                                                                              lea edx, dword ptr [ebp-14h]
                                                                              xor eax, eax
                                                                              call 00007F58D8F64142h
                                                                              mov eax, dword ptr [ebp-14h]
                                                                              call 00007F58D8F646D6h
                                                                              cmp eax, 0000A200h
                                                                              jle 00007F58D8F678F7h
                                                                              call 00007F58D8F66DD6h
                                                                              call 00007F58D8F675E9h
                                                                              mov eax, 004091C4h
                                                                              mov ecx, 00000003h
                                                                              mov edx, 00000003h

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x150000x864.idata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x190000x1400.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x180000x5cc.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x170000x18.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              CODE0x10000x722c0x7400ca3464d4f08c9010e7ffa2fe3e890344False0.6173558728448276data6.511672174892103IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              DATA0x90000x2180x4007ffc3168a7f3103634abdf3a768ed128False0.3623046875data3.1516983405583385IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              BSS0xa0000xa8990x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .idata0x150000x8640xa006e7a45521bfca94f1e506361f70e7261False0.37421875data4.173859768945439IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .tls0x160000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .rdata0x170000x180x2007e6c0f4f4435abc870eb550d5072bad6False0.05078125data0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                              .reloc0x180000x5cc0x60016968c66d220638496d6b095f21de777False0.8483072916666666data6.443093465893509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                              .rsrc0x190000x14000x14001cc55f871f239dca999bec4b16507109False0.1544921875data2.1235147779797923IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_ICON0x191500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4264RussianRussia0.0349437148217636
                                                                              RT_RCDATA0x1a1f80x10data1.5
                                                                              RT_RCDATA0x1a2080xacdata1.063953488372093
                                                                              RT_GROUP_ICON0x1a2b40x14dataRussianRussia1.1

                                                                              Imports

                                                                              DLLImport
                                                                              kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, GetThreadLocale, GetStartupInfoA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                              user32.dllGetKeyboardType, MessageBoxA
                                                                              advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                              oleaut32.dllSysFreeString, SysReAllocStringLen
                                                                              kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                              advapi32.dllRegSetValueExA, RegOpenKeyExA, RegCloseKey
                                                                              kernel32.dllWriteFile, WinExec, SetFilePointer, SetFileAttributesA, SetEndOfFile, SetCurrentDirectoryA, ReleaseMutex, ReadFile, GetWindowsDirectoryA, GetTempPathA, GetShortPathNameA, GetModuleFileNameA, GetLogicalDriveStringsA, GetLocalTime, GetLastError, GetFileSize, GetFileAttributesA, GetDriveTypeA, GetCommandLineA, FreeLibrary, FindNextFileA, FindFirstFileA, FindClose, DeleteFileA, CreateMutexA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                              gdi32.dllStretchDIBits, SetDIBits, SelectObject, GetObjectA, GetDIBits, DeleteObject, DeleteDC, CreateSolidBrush, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, BitBlt
                                                                              user32.dllReleaseDC, GetSysColor, GetIconInfo, GetDC, FillRect, DestroyIcon, CopyImage, CharLowerBuffA
                                                                              shell32.dllShellExecuteA, ExtractIconA

                                                                              Possible Origin

                                                                              Language of compilation systemCountry where language is spokenMap
                                                                              RussianRussia

                                                                              Network Behavior

                                                                              Network Port Distribution

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Nov 21, 2024 09:40:09.936665058 CET6231453192.168.2.61.1.1.1
                                                                              Nov 21, 2024 09:40:10.946983099 CET6231453192.168.2.61.1.1.1
                                                                              Nov 21, 2024 09:40:11.323322058 CET53623141.1.1.1192.168.2.6
                                                                              Nov 21, 2024 09:40:11.323340893 CET53623141.1.1.1192.168.2.6
                                                                              Nov 21, 2024 09:41:12.291455030 CET6083353192.168.2.61.1.1.1
                                                                              Nov 21, 2024 09:41:13.290967941 CET6083353192.168.2.61.1.1.1
                                                                              Nov 21, 2024 09:41:13.568958044 CET53608331.1.1.1192.168.2.6
                                                                              Nov 21, 2024 09:41:13.569025993 CET53608331.1.1.1192.168.2.6
                                                                              Nov 21, 2024 09:42:13.229129076 CET6318753192.168.2.61.1.1.1
                                                                              Nov 21, 2024 09:42:14.228502989 CET6318753192.168.2.61.1.1.1
                                                                              Nov 21, 2024 09:42:14.586570024 CET53631871.1.1.1192.168.2.6
                                                                              Nov 21, 2024 09:42:14.586581945 CET53631871.1.1.1192.168.2.6
                                                                              Nov 21, 2024 09:43:14.151635885 CET6513353192.168.2.61.1.1.1
                                                                              Nov 21, 2024 09:43:14.585628986 CET53651331.1.1.1192.168.2.6

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Nov 21, 2024 09:40:09.936665058 CET192.168.2.61.1.1.10x3667Standard query (0)kinh.xmcxmr.comA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 09:40:10.946983099 CET192.168.2.61.1.1.10x3667Standard query (0)kinh.xmcxmr.comA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 09:41:12.291455030 CET192.168.2.61.1.1.10x708bStandard query (0)kinh.xmcxmr.comA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 09:41:13.290967941 CET192.168.2.61.1.1.10x708bStandard query (0)kinh.xmcxmr.comA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 09:42:13.229129076 CET192.168.2.61.1.1.10x401Standard query (0)kinh.xmcxmr.comA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 09:42:14.228502989 CET192.168.2.61.1.1.10x401Standard query (0)kinh.xmcxmr.comA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 09:43:14.151635885 CET192.168.2.61.1.1.10x2910Standard query (0)kinh.xmcxmr.comA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Nov 21, 2024 09:40:11.323322058 CET1.1.1.1192.168.2.60x3667No error (0)kinh.xmcxmr.com127.0.0.1A (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 09:40:11.323340893 CET1.1.1.1192.168.2.60x3667No error (0)kinh.xmcxmr.com127.0.0.1A (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 09:41:13.568958044 CET1.1.1.1192.168.2.60x708bNo error (0)kinh.xmcxmr.com127.0.0.1A (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 09:41:13.569025993 CET1.1.1.1192.168.2.60x708bNo error (0)kinh.xmcxmr.com127.0.0.1A (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 09:42:14.586570024 CET1.1.1.1192.168.2.60x401No error (0)kinh.xmcxmr.com127.0.0.1A (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 09:42:14.586581945 CET1.1.1.1192.168.2.60x401No error (0)kinh.xmcxmr.com127.0.0.1A (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 09:43:14.585628986 CET1.1.1.1192.168.2.60x2910No error (0)kinh.xmcxmr.com127.0.0.1A (IP address)IN (0x0001)false

                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:03:40:04
                                                                              Start date:21/11/2024
                                                                              Path:C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\#U63d0#U53d6Proxy (1).exe"
                                                                              Imagebase:0x400000
                                                                              File size:2'376'252 bytes
                                                                              MD5 hash:3661801094ECE049030D74F100A62A7D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: 00000000.00000002.2601271801.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:2
                                                                              Start time:03:40:04
                                                                              Start date:21/11/2024
                                                                              Path:C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe"
                                                                              Imagebase:0x400000
                                                                              File size:2'334'780 bytes
                                                                              MD5 hash:70E7FC95995215806697E6F7464AE162
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: 00000002.00000003.2181760433.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: 00000002.00000000.2177773403.0000000000480000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: 00000002.00000003.2181205076.00000000025B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: 00000002.00000003.2181976397.00000000025B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Users\user\AppData\Local\Temp\3582-490\#U63d0#U53d6Proxy (1).exe, Author: ditekSHen
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:3
                                                                              Start time:03:40:05
                                                                              Start date:21/11/2024
                                                                              Path:C:\Users\user\AppData\Local\Temp\look2.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\AppData\Local\Temp\\look2.exe
                                                                              Imagebase:0x400000
                                                                              File size:345'600 bytes
                                                                              MD5 hash:2F3B6F16E33E28AD75F3FDAEF2567807
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: 00000003.00000000.2179542390.0000000000441000.00000008.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Users\user\AppData\Local\Temp\look2.exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: C:\Users\user\AppData\Local\Temp\look2.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Users\user\AppData\Local\Temp\look2.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Users\user\AppData\Local\Temp\look2.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Users\user\AppData\Local\Temp\look2.exe, Author: ditekSHen
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:4
                                                                              Start time:03:40:05
                                                                              Start date:21/11/2024
                                                                              Path:C:\Windows\SysWOW64\svchost.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\svchost.exe -k "svchcst"
                                                                              Imagebase:0xfc0000
                                                                              File size:46'504 bytes
                                                                              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:5
                                                                              Start time:03:40:05
                                                                              Start date:21/11/2024
                                                                              Path:C:\Windows\SysWOW64\svchost.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\svchost.exe -k "svchcst"
                                                                              Imagebase:0xfc0000
                                                                              File size:46'504 bytes
                                                                              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: 00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Gh0stCringe, Description: Yara detected Gh0stCringe, Source: 00000005.00000002.4657433933.000000001000C000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:6
                                                                              Start time:03:40:09
                                                                              Start date:21/11/2024
                                                                              Path:C:\Windows\SysWOW64\svchcst.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\system32\svchcst.exe "c:\windows\system32\4958812.bat",MainThread
                                                                              Imagebase:0xd00000
                                                                              File size:61'440 bytes
                                                                              MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: 00000006.00000002.4657492040.000000001000C000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Gh0stCringe, Description: Yara detected Gh0stCringe, Source: 00000006.00000002.4657492040.000000001000C000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              Disassembly

                                                                              Reset < >

                                                                                Non-executed Functions

                                                                                Function 021F0F54 Relevance: 15.3, Strings: 12, Instructions: 305COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: BGR$ ZYX$ baL$YARG$caps$knil$lcmn$psca$rncs$rtnm$rtrp$tsba
                                                                                • API String ID: 0-1124805108
                                                                                • Opcode ID: aed33545beffabc9f7e1b222ac90f2c9e68c313df82e5e4790da6ecf606e86a2
                                                                                • Instruction ID: 0873906521b33152a2246a86061f1bed248326098a74db91823d64d25dfd5cdc
                                                                                • Opcode Fuzzy Hash: aed33545beffabc9f7e1b222ac90f2c9e68c313df82e5e4790da6ecf606e86a2
                                                                                • Instruction Fuzzy Hash: 4C918AE374815027DB0CDE2C8C91ABB7B9A9BC9241F1E81A5FBACCA307E316D5058675
                                                                                Function 021D8534 Relevance: 2.8, Strings: 2, Instructions: 257COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: MTrk$d
                                                                                • API String ID: 0-4044675371
                                                                                • Opcode ID: bba396254cf0c26579988c787e60e21f9dee8d7754c73f768d9b982935010523
                                                                                • Instruction ID: 5fc1ba25573f70c7860da4d26448061d7182fc40546ba8205cbda61c4de68559
                                                                                • Opcode Fuzzy Hash: bba396254cf0c26579988c787e60e21f9dee8d7754c73f768d9b982935010523
                                                                                • Instruction Fuzzy Hash: E3918E75B40605DFD718CF29C880A6AB7E2EFC8314B15893DE84ACB741EB35E906CB90
                                                                                Function 021C65B4 Relevance: 2.2, Strings: 1, Instructions: 979COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: d
                                                                                • API String ID: 0-2564639436
                                                                                • Opcode ID: 0464363e5fd2276ba3f9f0804d58ff257c66e84c842e7d2ca8e66713e8925349
                                                                                • Instruction ID: 6d36014cdd3dc39681a6850cf3a5e61c8695b342ecfca0e4c052fe32a50bd67f
                                                                                • Opcode Fuzzy Hash: 0464363e5fd2276ba3f9f0804d58ff257c66e84c842e7d2ca8e66713e8925349
                                                                                • Instruction Fuzzy Hash: F9729C75648381AFC720DF24C880B6FB7EAAFD4704F25492DE98997240DB35E945CFA2
                                                                                Function 021F6DA0 Relevance: 1.6, Strings: 1, Instructions: 392COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog
                                                                                • String ID: 2
                                                                                • API String ID: 3519838083-450215437
                                                                                • Opcode ID: c0339e2746b54f0ce1190d4bd15c44c0d1d881a0f20a645914521d689400bd8e
                                                                                • Instruction ID: a77ed2c7b8805d0fa8df5eaeda14a851019510ff77a2c5124101ffa79e27e81a
                                                                                • Opcode Fuzzy Hash: c0339e2746b54f0ce1190d4bd15c44c0d1d881a0f20a645914521d689400bd8e
                                                                                • Instruction Fuzzy Hash: A3F109716087409FD764DF68C880B6BB7E9BFC8704F408A2DF59A87294DB74E909CB52
                                                                                Function 02214144 Relevance: 1.6, Strings: 1, Instructions: 334COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: lUO
                                                                                • API String ID: 0-2669878854
                                                                                • Opcode ID: f3b3751be0055bb4ae5f0245cf300741e1b064cb018afa51338a5cde09ca4f7b
                                                                                • Instruction ID: f8543f65b20513b4380876175989b8eb7dbd62f492ed10f1f6666943ed4cfce9
                                                                                • Opcode Fuzzy Hash: f3b3751be0055bb4ae5f0245cf300741e1b064cb018afa51338a5cde09ca4f7b
                                                                                • Instruction Fuzzy Hash: BBC1CF71A187428FC718CF6CD4A062AFBE1FBD8310F194A6DE8DAA3755C770A815CB85
                                                                                Function 021FEEA4 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: VUUU
                                                                                • API String ID: 0-2040033107
                                                                                • Opcode ID: 57d9c8bfe10be56b2e141fb50425815332441f6122d94bcdd30c283ce2ceb76c
                                                                                • Instruction ID: b48814c81cdba90100e8f61f3e1b91845cf18818666b1ccc28e60dba394f3cd7
                                                                                • Opcode Fuzzy Hash: 57d9c8bfe10be56b2e141fb50425815332441f6122d94bcdd30c283ce2ceb76c
                                                                                • Instruction Fuzzy Hash: B6912172A44E408BD7698A38CC557E677D3AB88304F09892DE6BAC7BE1E768A041C700
                                                                                Function 021ED9D4 Relevance: .9, Instructions: 903COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7588268db9ad160e2392b48f534035be178d540a008719f74208fe9ed0531eb1
                                                                                • Instruction ID: 30b407946ab1b5bb7117c7558bfa159af432b70b51da5aec31707b8b5a8d0da3
                                                                                • Opcode Fuzzy Hash: 7588268db9ad160e2392b48f534035be178d540a008719f74208fe9ed0531eb1
                                                                                • Instruction Fuzzy Hash: 4E52B8767447094BD708CE9ACC9159EF3E3ABC8314F488A3CE956C3346EEB4E90AC655
                                                                                Function 021FF694 Relevance: .8, Instructions: 788COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2a74513b1f6afa9362d01490931df320767b4df392c45676b72efb9511f6b5f9
                                                                                • Instruction ID: 63b0025cf6ebb5b2e76871bb03c091899a016a8388c77225af34908451776148
                                                                                • Opcode Fuzzy Hash: 2a74513b1f6afa9362d01490931df320767b4df392c45676b72efb9511f6b5f9
                                                                                • Instruction Fuzzy Hash: B3623835504B828AD3659B34C8507F7FBE2AF9A304F08492CDAFE8B792E771A506C751
                                                                                Function 021F5884 Relevance: .5, Instructions: 536COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e781195313795264846d03d4fd6f3a56b1e23b28523fcd42cb2b2963b4569044
                                                                                • Instruction ID: 70f3933502b76d40ba5c236bd0480c5d1c75eacb738069b19d6cb7dad1fe8291
                                                                                • Opcode Fuzzy Hash: e781195313795264846d03d4fd6f3a56b1e23b28523fcd42cb2b2963b4569044
                                                                                • Instruction Fuzzy Hash: 4A12C3726483459FC758CF28C89076AB7E3BBC8314F89493DEAA987381D735E945CB41
                                                                                Function 021FDEA4 Relevance: .5, Instructions: 485COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bcd66d50e71db87356d0f11fde1a86c63171a3856adab2116fb54cdbb391918f
                                                                                • Instruction ID: 5ab38f3fee7ec7f5bd224c13b55d73f90dc4d7ab5f49d656fda4842ecf6dd55b
                                                                                • Opcode Fuzzy Hash: bcd66d50e71db87356d0f11fde1a86c63171a3856adab2116fb54cdbb391918f
                                                                                • Instruction Fuzzy Hash: 03F148327883558FCB68CE38D8903BEBBD2EBC6200F48457DD9A587721E7659849C792
                                                                                Function 021F39B1 Relevance: .4, Instructions: 445COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f6cdf21aed6adf4082f650d04cb4b9e6e91692a0fdc5c11383e12af2295826d3
                                                                                • Instruction ID: 11f3bdcb71a959604a1707a2171d0e98d047bf9274a4db64fdbadc87bad230f7
                                                                                • Opcode Fuzzy Hash: f6cdf21aed6adf4082f650d04cb4b9e6e91692a0fdc5c11383e12af2295826d3
                                                                                • Instruction Fuzzy Hash: 85F114B15883815FE394DF14CC81B6BB7DAEBD4304F050529F6A99B381E7B5D881CB92
                                                                                Function 02202F74 Relevance: .4, Instructions: 382COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bd7d6e5bdf9180fc249a7cdffd82ac3d4432134ef2b1545fd9ebd85a9bab015f
                                                                                • Instruction ID: 53f76640ee859fb7cb85cd18c76cd3fb27c9402ead1c42ccc3a388723bde3d22
                                                                                • Opcode Fuzzy Hash: bd7d6e5bdf9180fc249a7cdffd82ac3d4432134ef2b1545fd9ebd85a9bab015f
                                                                                • Instruction Fuzzy Hash: 7BD1B22151D6D28BD722CE6884E03AAFFD2AF9A204F18CADDD4D44F387D7629809C391
                                                                                Function 02211FF4 Relevance: .4, Instructions: 379COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d4bfdb248b3fb90f8076a3fe4a1e75f7bd1b50aa5aafde52d762773f77742459
                                                                                • Instruction ID: 23ab774d3db3c30bec7ed3b2e6850ee4897ee616129681d78267152e0c330ccc
                                                                                • Opcode Fuzzy Hash: d4bfdb248b3fb90f8076a3fe4a1e75f7bd1b50aa5aafde52d762773f77742459
                                                                                • Instruction Fuzzy Hash: B5F1AA72509291CFC3098F18D9989E27BE2EFA8714B1F42F9D8499B367D7729840CB91
                                                                                Function 02201354 Relevance: .4, Instructions: 364COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: dcdb0e9a48f9cc5b8454a5ea312c92bd26660b050e477f45892fe8a81102f325
                                                                                • Instruction ID: 32dd9c34d64f7a1c7dae482cfd05e3987692013517a40a16d65dc69f0110e98b
                                                                                • Opcode Fuzzy Hash: dcdb0e9a48f9cc5b8454a5ea312c92bd26660b050e477f45892fe8a81102f325
                                                                                • Instruction Fuzzy Hash: C1D19E356187838FC325CF69C4D02AAFBE1AF9A304F48866DE4D99B756D330A416CB91
                                                                                Function 021FE3E4 Relevance: .4, Instructions: 352COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3be4b89135e0a3f0cdb95423d9478719c7e0af1eeda217c86243391791b7a110
                                                                                • Instruction ID: f5cc49e9997d1ebc4e5078cc8b435eb6b5624695af8c68ef98fc1b1b96685b58
                                                                                • Opcode Fuzzy Hash: 3be4b89135e0a3f0cdb95423d9478719c7e0af1eeda217c86243391791b7a110
                                                                                • Instruction Fuzzy Hash: E4D1AC72A497468FC788CF18C49436EBBE1FBC8314F445A2DE5A5973A0D335E909CB82
                                                                                Function 02209674 Relevance: .3, Instructions: 346COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8156b7e14d89a7d224035f81393d472818c2f077ec22923174eaec27d35881de
                                                                                • Instruction ID: 138b4de70ea3f380a7303531d8da68d7d64d5a65bc79adad8021038c5a9e558d
                                                                                • Opcode Fuzzy Hash: 8156b7e14d89a7d224035f81393d472818c2f077ec22923174eaec27d35881de
                                                                                • Instruction Fuzzy Hash: 98D11475220B418FD724CF69C980AA7B7E6BF89708B18892DD4C787B96D735F881CB40
                                                                                Function 021F4474 Relevance: .3, Instructions: 343COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 32e83ad32ec5021276208e6438bc11f3ab5c61a95d4360b1a1a724206c0e14e2
                                                                                • Instruction ID: 6677673b326726e212a20a8081d67ad8f62d12f3006427e17ca122a97ab4aacb
                                                                                • Opcode Fuzzy Hash: 32e83ad32ec5021276208e6438bc11f3ab5c61a95d4360b1a1a724206c0e14e2
                                                                                • Instruction Fuzzy Hash: 68C1E672A483128FD758DF28C89066AB3E1FBC8318F09067DEA6AD7380D774D905CB91
                                                                                Function 021CF994 Relevance: .3, Instructions: 336COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2db80f1e99e3fa419c232c1282083f2166c976d9e63becbdf6917bdcbdca157e
                                                                                • Instruction ID: c6aa8ab6674b5b49f7cd6ace004db32f13fcb88bba0fa5274ed6d1759ab05d17
                                                                                • Opcode Fuzzy Hash: 2db80f1e99e3fa419c232c1282083f2166c976d9e63becbdf6917bdcbdca157e
                                                                                • Instruction Fuzzy Hash: DFC1DE395886858FD735CE08C0607ABFBE3AFA1B08F78841FE4D147A65D335954ACB42
                                                                                Function 02202442 Relevance: .3, Instructions: 306COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 209fc5673e656db3213c2d2fbf9a8a4af23a33bfddf6ddf1f62eb543b428bd05
                                                                                • Instruction ID: 2e8c70ec8aaaaaf18da7e8d10cfadb4a4d0fbc240d39385ff60983fc4452967a
                                                                                • Opcode Fuzzy Hash: 209fc5673e656db3213c2d2fbf9a8a4af23a33bfddf6ddf1f62eb543b428bd05
                                                                                • Instruction Fuzzy Hash: 35C1C23520C7824BC72DDB6894B55F7BFE29FAA300B1DD6BDC88A8B3A7D9215409C750
                                                                                Function 02212574 Relevance: .3, Instructions: 295COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b9e82ae8077d92804d45aae61b5307cef857210f2a8bd08bce4e49092261f6f0
                                                                                • Instruction ID: 2f3e649bf887bf9efbc8c230b7cbd380ec8ce938123cec8d4436b2ae0f04554b
                                                                                • Opcode Fuzzy Hash: b9e82ae8077d92804d45aae61b5307cef857210f2a8bd08bce4e49092261f6f0
                                                                                • Instruction Fuzzy Hash: 3BD19D756082518FC319CF58E9D88E27BE1BFA8740F0E42F9D98A9B327D7719841CB94
                                                                                Function 021C8924 Relevance: .3, Instructions: 279COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 06c2b48606346bda41e0e7b1349bcaae6d02ddbcaa47947d3dac6c39e4959df0
                                                                                • Instruction ID: ba01d8f3c133f18df539f60cf85e358807f11622565fc452f9038dfc5f817c3d
                                                                                • Opcode Fuzzy Hash: 06c2b48606346bda41e0e7b1349bcaae6d02ddbcaa47947d3dac6c39e4959df0
                                                                                • Instruction Fuzzy Hash: 40B18CB42407019FC726DF78C9C4BEAB3E5BF98304F21492DE6AA87290DB30A945CF55
                                                                                Function 022091D4 Relevance: .3, Instructions: 274COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 27c8d435e4a79cdf99dd996a5b040aa612b6b459332a9350c378e94c1eec9c45
                                                                                • Instruction ID: 7cfde9373dd4b180cdc045e34a86bd5f11b1910fdec4e52f2b95be42057c4dc8
                                                                                • Opcode Fuzzy Hash: 27c8d435e4a79cdf99dd996a5b040aa612b6b459332a9350c378e94c1eec9c45
                                                                                • Instruction Fuzzy Hash: 53B13775224B418FD328CF68C9909A7B3E6BF89704B18892DD4DBC7B96D671F841CB44
                                                                                Function 02244E1B Relevance: .3, Instructions: 259COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                                                                                • Instruction ID: 25b536b97ac7a9c7fa1cbe951d9d98d0557dd0a7944303f28fd4dce9e7b75c4b
                                                                                • Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                                                                                • Instruction Fuzzy Hash: 88B17A75A1020ADFDB19CF44C5D0BA8BBA1BF48318F64C19DD85A5B386CB31EA56CB90
                                                                                Function 0221FD8A Relevance: .3, Instructions: 259COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                                                                                • Instruction ID: b57c645bda339103910cfb0c264339b6be6fa337004c560596ec29d0bb26b05b
                                                                                • Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                                                                                • Instruction Fuzzy Hash: 7FB1AC3591021ADFDB15CF44C2D0AA8BBE1FF59318F14C1AED81A4B786C771EA46CB90
                                                                                Function 021F367F Relevance: .3, Instructions: 256COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 718120a221386da442854b888df5bf8e19c80b1632074b154d10614969054808
                                                                                • Instruction ID: d3fda22d826b68e29d9769ed32c8f4bed79f8e262bd1c2b03a06bd0cb72b7435
                                                                                • Opcode Fuzzy Hash: 718120a221386da442854b888df5bf8e19c80b1632074b154d10614969054808
                                                                                • Instruction Fuzzy Hash: 099100B2A483429FD348DF18C881B6BB7E6EBC8704F04452DF6A997390D3B4D941CB96
                                                                                Function 0220EB84 Relevance: .2, Instructions: 229COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cab88bb81d6f1a3f294bb195b69a7ed404116198194961875d31482ad394f9ff
                                                                                • Instruction ID: a3b94c4f623b8bb27361439578b79f93cd7bd656f2833837454a704924738f2a
                                                                                • Opcode Fuzzy Hash: cab88bb81d6f1a3f294bb195b69a7ed404116198194961875d31482ad394f9ff
                                                                                • Instruction Fuzzy Hash: 39A12775A087418FC314CF69C48095AFBF2BFC8714F198A6DE99987325E770E945CB82
                                                                                Function 02202D44 Relevance: .2, Instructions: 209COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4664e54bd8655df0b62760be2564d86677a0bae60cff444b8354291ceb51d8c8
                                                                                • Instruction ID: a706a651ebe3c9fce67d4df34c34051b4fd68075bf3ed01c1220ebe701fffc0c
                                                                                • Opcode Fuzzy Hash: 4664e54bd8655df0b62760be2564d86677a0bae60cff444b8354291ceb51d8c8
                                                                                • Instruction Fuzzy Hash: EE71D435558693CACB11CF28C088365FFE2AB96204F0CC79ED8C99B39BD762E509C791
                                                                                Function 021F1414 Relevance: .2, Instructions: 200COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9ad8d4c637540b7d9420b0b0a950ea0329340b28058caa13d374285fbc6198ec
                                                                                • Instruction ID: bc0d4bf91a961b8dfadc4365d07a69d59b6628652b3b26be2cfab0771c776264
                                                                                • Opcode Fuzzy Hash: 9ad8d4c637540b7d9420b0b0a950ea0329340b28058caa13d374285fbc6198ec
                                                                                • Instruction Fuzzy Hash: 9B5108B2B487914BDB68CE384C6076BBBE35FC6204F0D886DE5EAD7341E364E5058B60
                                                                                Function 021F3F16 Relevance: .2, Instructions: 192COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c299bc4eb9688c4ecd8a572e18169d0f238f69ef927966c2e0411f92477dfa26
                                                                                • Instruction ID: 1c66defefd1cc99c7b0364f6407276f8d95f43cc904ba0cf32c64146f137f720
                                                                                • Opcode Fuzzy Hash: c299bc4eb9688c4ecd8a572e18169d0f238f69ef927966c2e0411f92477dfa26
                                                                                • Instruction Fuzzy Hash: 28618DB0648281AFD798CF18C890A7FB7EAAFC8304F15495DF7AA87351D771E8418B52
                                                                                Function 022021C8 Relevance: .2, Instructions: 187COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e09e427cc0f5c48326d696f622ddb13854d7e20a58c35d846649955e18978596
                                                                                • Instruction ID: a6f061de5f65bcfc12aad11f4f9206430397a59d5b341d233af4a4b66c3bc3cb
                                                                                • Opcode Fuzzy Hash: e09e427cc0f5c48326d696f622ddb13854d7e20a58c35d846649955e18978596
                                                                                • Instruction Fuzzy Hash: 2671F22525D7C28BC7299B2888E43F6BF91AF9B201F5D96EED8D54F393C5126009C721
                                                                                Function 0220E0E4 Relevance: .2, Instructions: 178COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c85e5f8c1b8543d5e31b2507d484f8634bc59b4117db2810bbc7b5cb86d4c726
                                                                                • Instruction ID: d47c29e75058635cd2a269534cc6470dcf8caee24f761c67ccd67e0c7ffa5163
                                                                                • Opcode Fuzzy Hash: c85e5f8c1b8543d5e31b2507d484f8634bc59b4117db2810bbc7b5cb86d4c726
                                                                                • Instruction Fuzzy Hash: 3581173954A7819FC711CF29C0D04A6FBE2BF9E204F5C999DE9C50B317C231A919CB92
                                                                                Function 02202AC4 Relevance: .2, Instructions: 150COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d93cc05d5705e35d5f07734d747c2fdeac8241046273c9517190a540cdb5c5d4
                                                                                • Instruction ID: 696c0110e5b85f1b07b88114718ef56943a65a7f63507255594a7836c5c4a533
                                                                                • Opcode Fuzzy Hash: d93cc05d5705e35d5f07734d747c2fdeac8241046273c9517190a540cdb5c5d4
                                                                                • Instruction Fuzzy Hash: 604149217193828FDB198EA898DA3FABBD1DB89314F0846BDCDE5CB397D2558509C350
                                                                                Function 02249791 Relevance: .1, Instructions: 149COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3a59c80101b9c9fe1d0661acb315293b42169e8eb80163e622da2e78b71d7acd
                                                                                • Instruction ID: 74d29ea303612bcf5b23316e28a370380fa34bfe4b17321c8594a286e0251da6
                                                                                • Opcode Fuzzy Hash: 3a59c80101b9c9fe1d0661acb315293b42169e8eb80163e622da2e78b71d7acd
                                                                                • Instruction Fuzzy Hash: 5351F471D2020ADFDF18CFE8C881BEEBBF5BB08304F54846AE505A7245DBB59A81CB51
                                                                                Function 02223B03 Relevance: .1, Instructions: 149COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: df0f2ea11860a2f85d939616a373d6fa3e8512a294a337a349f1e876acd0ff36
                                                                                • Instruction ID: c12d8c186e39c24b2012568505418e513c8a9a883cdef3a4423885e0c5002e3d
                                                                                • Opcode Fuzzy Hash: df0f2ea11860a2f85d939616a373d6fa3e8512a294a337a349f1e876acd0ff36
                                                                                • Instruction Fuzzy Hash: CB512771D20229EFDB10CFE8D4857EEBBF5BF08304F5480AAE511A7244D77A9949CB50
                                                                                Function 02202015 Relevance: .1, Instructions: 144COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4d4d2dea2c165661568dc7cef3cf9871e53b13df2d48047b3dc5f70df1b2c506
                                                                                • Instruction ID: c9603b6560f8fa3743c275a09d0d3d0932eba389cbc21fc84b59ca2d2121bd23
                                                                                • Opcode Fuzzy Hash: 4d4d2dea2c165661568dc7cef3cf9871e53b13df2d48047b3dc5f70df1b2c506
                                                                                • Instruction Fuzzy Hash: F6414B3A32D2838BC7198A7C84902F6FBA1EF9A300F5847BED995C7387D625950AC750
                                                                                Function 02201D2A Relevance: .1, Instructions: 143COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a8c27889d51f487b201adba72a386df83b8ac4b76ef92a9fc20cd27d85f323ea
                                                                                • Instruction ID: 93a221c448464a7565d1e515b25fb90317252313e4359db1aae8c7f7ff6d9958
                                                                                • Opcode Fuzzy Hash: a8c27889d51f487b201adba72a386df83b8ac4b76ef92a9fc20cd27d85f323ea
                                                                                • Instruction Fuzzy Hash: 84519E2920DBE24AC71A973C44A96F7FFE29F5B301B4E84EDC4DA8B367C6124118C760
                                                                                Function 021FAC14 Relevance: .1, Instructions: 127COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
                                                                                • Instruction ID: 6a8eeef8f56557aababd3b8dd6bdf0926fa59ff90c1e7b2cbf43f31f5687598d
                                                                                • Opcode Fuzzy Hash: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
                                                                                • Instruction Fuzzy Hash: B5314E3374598203F71DCA2F9CA12BEEBD34FC522872DD57E99C98B356EDBA84168104
                                                                                Function 021F1284 Relevance: .1, Instructions: 115COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f8ce826aaa34cac058739c94919c7f735e4a3bcb3b214c06b145b988ade39a99
                                                                                • Instruction ID: 92a0ea30ca7aa9bc84a0fb900119621289295c45cf6cdf77e5d77b5c48e9e7f5
                                                                                • Opcode Fuzzy Hash: f8ce826aaa34cac058739c94919c7f735e4a3bcb3b214c06b145b988ade39a99
                                                                                • Instruction Fuzzy Hash: 6F31E0F360879107E72CCA2D9C606ABBBD3ABC8244F1DC96DE5EEC3701E961A505CB54
                                                                                Function 021FA4D4 Relevance: .1, Instructions: 109COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1778abe5a1b3fff073265e14ea222d11f9b129b0360753afdbbe3f3dd67d1781
                                                                                • Instruction ID: 8353f5b41b64cf72f1ec7bd2670f9a2bb006b906e6285feba8aed7d0390c8c2f
                                                                                • Opcode Fuzzy Hash: 1778abe5a1b3fff073265e14ea222d11f9b129b0360753afdbbe3f3dd67d1781
                                                                                • Instruction Fuzzy Hash: 7531B8227BA09207D354CEBD9CC0277B7A39BCA346B6CC67DD688C7A0AC53DD8178255
                                                                                Function 022028D4 Relevance: .1, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8670326f1a402f6b1f5166f99e1373a06cdec049855e352b338eb27f7b4d0bbe
                                                                                • Instruction ID: 8dbb5d27854fceed1fa68e949469936c3abd155c514f17c67e94fa645ba3c643
                                                                                • Opcode Fuzzy Hash: 8670326f1a402f6b1f5166f99e1373a06cdec049855e352b338eb27f7b4d0bbe
                                                                                • Instruction Fuzzy Hash: DD219C2524EAC24FC71A9A6D64ED1BAEFD1DA6E32135D91FEC9C5CB323D9120009C354
                                                                                Function 02202997 Relevance: .1, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b1fe03246351e01c13d869b9ec1e42773d7efb54e60e532b3e7a2c15472ebd14
                                                                                • Instruction ID: b222b29323d05a58c833a583673b1f8c22a46e38edb89fc26d9044e9440b93e8
                                                                                • Opcode Fuzzy Hash: b1fe03246351e01c13d869b9ec1e42773d7efb54e60e532b3e7a2c15472ebd14
                                                                                • Instruction Fuzzy Hash: B2219C2524FAC24BCB1A9AAD64ED1BAEFD1EA6E32135D91FEC9C5CB327C515400AC350
                                                                                Function 02218C34 Relevance: .1, Instructions: 76COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e65a41849ba1dff17564a555de7faa284a3be694d3db7f60d411abc468340149
                                                                                • Instruction ID: 7ca28d7983c393c575fb294753b5af46e00270956227ed33fb3ddb66c3da4438
                                                                                • Opcode Fuzzy Hash: e65a41849ba1dff17564a555de7faa284a3be694d3db7f60d411abc468340149
                                                                                • Instruction Fuzzy Hash: A11108A726308343B60C86AAD4F4DB7A3C5EBE632972C427AD1424F35CD72290448502
                                                                                Function 02203A39 Relevance: .1, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0bb3bb61c170dfb3d89b683d319c04ba5e58d1457cd0d5f4f578f7143b503207
                                                                                • Instruction ID: b865eec0d0628cfe0fb358c6c4e7da2db6a6b36cf3acfe492751f50b0d8a1685
                                                                                • Opcode Fuzzy Hash: 0bb3bb61c170dfb3d89b683d319c04ba5e58d1457cd0d5f4f578f7143b503207
                                                                                • Instruction Fuzzy Hash: 30012173711A4247C7B8CA6B98E01E6B7D3DBD2315B14D4BEC59E8B66DC6315005CF80
                                                                                Function 02238988 Relevance: 32.7, Strings: 26, Instructions: 220COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: D$D$Description$GUpdate$N$S$SYSTEM\CurrentControlSet\Services\%s$SYSTEM\CurrentControlSet\Services\%s\Parameters$ServiceDll$a$a$c$e$e$e$i$i$l$l$l$m$p$r$s$v$y
                                                                                • API String ID: 0-2507958089
                                                                                • Opcode ID: 06d65d50704fbeeb908872ebc808bdc27489a96b880dcb828fa7099d657679a1
                                                                                • Instruction ID: 2da501560021a266a03df651923ac6aa1d60f0877d99b133f3529e1404b285c6
                                                                                • Opcode Fuzzy Hash: 06d65d50704fbeeb908872ebc808bdc27489a96b880dcb828fa7099d657679a1
                                                                                • Instruction Fuzzy Hash: FAC1A310D0C7C8D9EB12C6A8D8587DEBFB61B22748F0840D995887B282C6FE1658CB76
                                                                                Function 021F2674 Relevance: 30.3, Strings: 24, Instructions: 251COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: AMAg$BGRs$DGKb$DNEI$EMIt$ETLP$ETLP$LACp$LACs$MRHc$PCCi$RDHI$SNRt$TADI$TADI$TADI$TIBs$TLPs$TSIh$sFFo$sYHp$tXEt$tXTi$tXTz
                                                                                • API String ID: 0-121280515
                                                                                • Opcode ID: 39e70dd0d8627464783a23801383e597802d1183f540bcb1249bebb0361c4281
                                                                                • Instruction ID: 86480a59bd6894239b79b67feed536fb36f1a06a21720a2e53c7191c2772e70f
                                                                                • Opcode Fuzzy Hash: 39e70dd0d8627464783a23801383e597802d1183f540bcb1249bebb0361c4281
                                                                                • Instruction Fuzzy Hash: B551F9B1BC44197AD9E56524DC81FFF369DCAA75A8F060026FF361A100EB762E0548FB
                                                                                Function 02220A17 Relevance: 14.5, APIs: 2, Strings: 6, Instructions: 469COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __aulldiv__aullrem
                                                                                • String ID: $'$9$@$g$g
                                                                                • API String ID: 3839614884-2311196974
                                                                                • Opcode ID: 8646c5607803826fdb2e7e9accf0698c7ce7226bb5877065decd6d8671530c98
                                                                                • Instruction ID: f5bad0d2307a577748208fcb35558f771e72071bfb3ce72489fd5c3e198b0560
                                                                                • Opcode Fuzzy Hash: 8646c5607803826fdb2e7e9accf0698c7ce7226bb5877065decd6d8671530c98
                                                                                • Instruction Fuzzy Hash: 8C02AF71C2522AFEDF24CFD8C948BEEBBB5EF24308F144059E814A6299D7769748CB50
                                                                                Function 0227B84F Relevance: 13.8, Strings: 11, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: A$B$C$D$E$F$R$S$T$W$\
                                                                                • API String ID: 0-1017267023
                                                                                • Opcode ID: 8b42ec92b129aba81c38ad9ea813808dd850dce6dd314b44567ae64a6f42ec90
                                                                                • Instruction ID: bca8ddc67f87595d36f0a2ae61ababcd9ac34d4b1f96c1ee787403f002cda3e2
                                                                                • Opcode Fuzzy Hash: 8b42ec92b129aba81c38ad9ea813808dd850dce6dd314b44567ae64a6f42ec90
                                                                                • Instruction Fuzzy Hash: FB11219050C3C199F301DB688845B0FBED15BA2749F48484DF6C85A287D6B98648C76B
                                                                                Function 02213684 Relevance: 12.3, APIs: 8, Instructions: 306COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __ftol
                                                                                • String ID:
                                                                                • API String ID: 495808979-0
                                                                                • Opcode ID: a326dffd14074a7c44b8695449b7337403b16a9057f3b478ccea4b676442838b
                                                                                • Instruction ID: 9a4aa08ae14294b417ff6407535307e6a9496235f77faa9c3c1e93c81fa2a823
                                                                                • Opcode Fuzzy Hash: a326dffd14074a7c44b8695449b7337403b16a9057f3b478ccea4b676442838b
                                                                                • Instruction Fuzzy Hash: F9D16272A09342DFD301AF21D48965ABFF0FFD5744FA60999E0D56626AE3308578CF82
                                                                                Function 02261F77 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02261F7C
                                                                                  • Part of subcall function 0225BBC0: __EH_prolog.LIBCMT ref: 0225BBC5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog
                                                                                • String ID: (C$@kC$`kC$`kC
                                                                                • API String ID: 3519838083-3641514600
                                                                                • Opcode ID: 00edbbea9138db0a49377615e764610d86a823dece5a60499b2a40091a7677ed
                                                                                • Instruction ID: 334fa381f0ac011391cb98de015f97521857a044d7f5f811cf52e3dd59adbea3
                                                                                • Opcode Fuzzy Hash: 00edbbea9138db0a49377615e764610d86a823dece5a60499b2a40091a7677ed
                                                                                • Instruction Fuzzy Hash: 90016D32A24312AFDB189BA4C91577EF6E29F40314F00862EA819D23D8DFF468508954
                                                                                Function 021D5C24 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 366COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $($(
                                                                                • API String ID: 0-3669016180
                                                                                • Opcode ID: 228c77336d40927036d350c95d7ad9078806f810d9aaeda4c1142b0801dc8218
                                                                                • Instruction ID: c9ab70b2dc37e41cbee630ced97529faf399470da85c96552b5c3d38a5a4de02
                                                                                • Opcode Fuzzy Hash: 228c77336d40927036d350c95d7ad9078806f810d9aaeda4c1142b0801dc8218
                                                                                • Instruction Fuzzy Hash: 14D126B26443059FC724CF25D884A6BBBE9EFC8710F14892EF99697350D771E848CB62
                                                                                Function 021E9CF4 Relevance: 6.4, APIs: 4, Instructions: 351COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __ftol
                                                                                • String ID:
                                                                                • API String ID: 495808979-0
                                                                                • Opcode ID: 4976d7e631ab49253077e90cfa666783fb4dde6d35ed7be85ae5d0ecb9ff2e17
                                                                                • Instruction ID: 1a091fbd14d45191c41411bc98607ffcf21cf844c95de0ff9006374a55d7d1ac
                                                                                • Opcode Fuzzy Hash: 4976d7e631ab49253077e90cfa666783fb4dde6d35ed7be85ae5d0ecb9ff2e17
                                                                                • Instruction Fuzzy Hash: DAD1BFB1294B01ABD624EB70CC41FEBB7E9AF84700F10492DE2AB862D4DB71E545CF56
                                                                                Function 02220983 Relevance: 6.3, Strings: 5, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $I$h$l$w
                                                                                • API String ID: 0-2889662131
                                                                                • Opcode ID: 04bfbc95fe47f46db2df2d212f07c917c964f8ed73b98c1b96b17c4bcf813e19
                                                                                • Instruction ID: b72f50bef07ed6b46563c9b9370b5f45599907969b08dc1cdff16c848f7b0791
                                                                                • Opcode Fuzzy Hash: 04bfbc95fe47f46db2df2d212f07c917c964f8ed73b98c1b96b17c4bcf813e19
                                                                                • Instruction Fuzzy Hash: DC11EE31CA5269BBEB25CED4C0403FD7BA4AB25265F68804AE88666084CB774709CB85
                                                                                Function 0223D3DB Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog
                                                                                • String ID: $(
                                                                                • API String ID: 3519838083-55695022
                                                                                • Opcode ID: 05d81f228fdfefea3ba87106fb32624f29dec7041d74c287da8b841e726ab472
                                                                                • Instruction ID: 84576f2f42b1176048fc950d8fc444044cc4b82df5ce81f15818526206cb5dbf
                                                                                • Opcode Fuzzy Hash: 05d81f228fdfefea3ba87106fb32624f29dec7041d74c287da8b841e726ab472
                                                                                • Instruction Fuzzy Hash: EFB12AB0A103059FCB15CFA8D884AAEFBF5FF88704F20455AE156EB264D7B1A945CF10
                                                                                Function 0223D834 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 234COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog
                                                                                • String ID: 4$/C
                                                                                • API String ID: 3519838083-2192003801
                                                                                • Opcode ID: 938e83f7bde161a28aa4dfa89f2cc18e5aa36b70419fe9c05057eda1317cbf36
                                                                                • Instruction ID: fd964f02ffec82aa45720fbe60bcb5c7dbb9373ab8d54abac33c9746ce633688
                                                                                • Opcode Fuzzy Hash: 938e83f7bde161a28aa4dfa89f2cc18e5aa36b70419fe9c05057eda1317cbf36
                                                                                • Instruction Fuzzy Hash: 1391AFB1920315DFDF16CF98C984BAEBBB5FF08314F148599E805AB259C7B4DA41CBA0
                                                                                Function 02262372 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 111COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog
                                                                                • String ID: $2C
                                                                                • API String ID: 3519838083-3998909976
                                                                                • Opcode ID: ecb83c548309d90039da2fa038b37ebe8f49087c0a816d87d3b81d18148136a2
                                                                                • Instruction ID: 7506ce4d5c5c8dcf02f4822a7a7e7a87e094cdfd02815c433a8b4d5c7c3bfe88
                                                                                • Opcode Fuzzy Hash: ecb83c548309d90039da2fa038b37ebe8f49087c0a816d87d3b81d18148136a2
                                                                                • Instruction Fuzzy Hash: 4E41BE72A10319EFDB20DFE4DD88BBD77BABB45309F008139E900AB195D7749A84CB25
                                                                                Function 0223CA54 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __ftol
                                                                                • String ID: W
                                                                                • API String ID: 495808979-655174618
                                                                                • Opcode ID: 6869a44f9ea5892c682071a33701eebdeb60f9b5ad5ea2ef6618b3b8dcb8ef61
                                                                                • Instruction ID: aa548ef98388c91b2f05f292ed50baedbc50a8cddece56d98ec54fca97170fe8
                                                                                • Opcode Fuzzy Hash: 6869a44f9ea5892c682071a33701eebdeb60f9b5ad5ea2ef6618b3b8dcb8ef61
                                                                                • Instruction Fuzzy Hash: 5B414AB5A11209EFCB05CF98D998AEEBBB5FF44700F05819AE956AB354C734AA10CF10
                                                                                Function 022544EF Relevance: 5.2, Strings: 4, Instructions: 226COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4(@P$@$@$|UC
                                                                                • API String ID: 0-454489482
                                                                                • Opcode ID: 93dcb23c5257dcd60a7812e0b8bb21b4c0f74c0ef53ee1bd663b1737c28a1cdb
                                                                                • Instruction ID: ef6199130bc4347a6dbdcf98b4b6918766cab2e1278c283d973663c0af928559
                                                                                • Opcode Fuzzy Hash: 93dcb23c5257dcd60a7812e0b8bb21b4c0f74c0ef53ee1bd663b1737c28a1cdb
                                                                                • Instruction Fuzzy Hash: E8815171D50319AADB50EFE4C484BDEFBF9AF08348F61C065ED48E6184D7749685CBA0
                                                                                Function 02242D89 Relevance: 5.2, Strings: 4, Instructions: 195COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: +$-$0$0
                                                                                • API String ID: 0-699404926
                                                                                • Opcode ID: cae472c9c6fd4cb77f3c29947f7b0a329a60fd5621d20b1bf779988d992504c6
                                                                                • Instruction ID: d1c2c76396b50a798c9045b143c12035ab7ee265e0889fba834f48490857ee4a
                                                                                • Opcode Fuzzy Hash: cae472c9c6fd4cb77f3c29947f7b0a329a60fd5621d20b1bf779988d992504c6
                                                                                • Instruction Fuzzy Hash: E761BF30A3525ADBDF2D8FE6C9403A97BA5EB01315F19435AFC92A7298CF70E941CB50
                                                                                Function 021E9AF4 Relevance: 5.1, Strings: 4, Instructions: 130COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: D O$P O$\ O$h O
                                                                                • API String ID: 0-3003591817
                                                                                • Opcode ID: c4f34f34c212208e42cfb6fb293a5e3e66226cac0385e92f86c9542618333e27
                                                                                • Instruction ID: 4fb12e4a61f378d1639e6976173d3dd582169c6dabc1644b7481e303909578f4
                                                                                • Opcode Fuzzy Hash: c4f34f34c212208e42cfb6fb293a5e3e66226cac0385e92f86c9542618333e27
                                                                                • Instruction Fuzzy Hash: 473150713D0B2076DA34A2B48CA1FAF225A9BC1B08F104919F3179F1D5DFA5A949CB58
                                                                                Function 022059A4 Relevance: 5.1, Strings: 4, Instructions: 123COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: b$d$ebod$o
                                                                                • API String ID: 0-1029930840
                                                                                • Opcode ID: acbadcfb57dcda4163dcc304ebab0c7baf06d898b6c200ff2a5ce0519df96b6a
                                                                                • Instruction ID: 43ff31220ea1a44d39c59a785b0482f70860dc44f2a29231561b9592b43bfbce
                                                                                • Opcode Fuzzy Hash: acbadcfb57dcda4163dcc304ebab0c7baf06d898b6c200ff2a5ce0519df96b6a
                                                                                • Instruction Fuzzy Hash: 4141FF315183468FCB20CF69C9C471ABBE4FF88214F488499E9848B247D775E929CBE2
                                                                                Function 021F1AD8 Relevance: 5.1, Strings: 4, Instructions: 91COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: C$C$C$C
                                                                                • API String ID: 0-676343647
                                                                                • Opcode ID: fe23ccd515b2ace34c302d0384a3f681617357e88bd8a8ff08ff69aa0b1c7eb3
                                                                                • Instruction ID: 2ec6c3a28750f44b97a0e91d80898a01d7b105a5085cda744ca33cffcc16f433
                                                                                • Opcode Fuzzy Hash: fe23ccd515b2ace34c302d0384a3f681617357e88bd8a8ff08ff69aa0b1c7eb3
                                                                                • Instruction Fuzzy Hash: 3FF09C5A84D1D16BD32146605C967E2FF80E515024F0833AEED9659902D10C63D39BE7
                                                                                Function 021F9A84 Relevance: 5.0, Strings: 4, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.2174004066.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_21c0000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: p<D$p<D$p<D$<D
                                                                                • API String ID: 0-3392635556
                                                                                • Opcode ID: d7e20b97c81ce5642a2247e5df64320131538b8b92db8579a6817d8d964a7d80
                                                                                • Instruction ID: e32a73eb211447985a4ea1bbcf7ca385f82448f2e7947d5026971fceb85e0041
                                                                                • Opcode Fuzzy Hash: d7e20b97c81ce5642a2247e5df64320131538b8b92db8579a6817d8d964a7d80
                                                                                • Instruction Fuzzy Hash: 61F04EB18092148FE3489F19E188A027FE0BB09755716C1EEE0199F332C3B4C904DF88

                                                                                Execution Graph

                                                                                Execution Coverage:1.7%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:12.6%
                                                                                Total number of Nodes:835
                                                                                Total number of Limit Nodes:46
                                                                                execution_graph 49869 404b00 49871 404b2a CreateProcessA 49869->49871 49872 404bc1 49871->49872 49873 404c07 49871->49873 49874 404bd7 WaitForInputIdle 49872->49874 49875 404bc8 WaitForSingleObject 49872->49875 49876 404be7 CloseHandle CloseHandle 49874->49876 49875->49876 49877 473044 49884 47ae3d 49877->49884 49882 4730a2 49883 4730a6 49882->49883 49890 472ee5 49882->49890 49885 47ae47 __EH_prolog 49884->49885 49886 473058 49885->49886 49918 47ba85 6 API calls ctype 49885->49918 49886->49882 49917 474bb9 7 API calls 49886->49917 49889 47ae5e 49919 47baf5 LeaveCriticalSection 49889->49919 49920 4642c8 49890->49920 49892 472eef GetPropA 49893 472f22 49892->49893 49894 472fcf 49892->49894 49895 472fae 49893->49895 49896 472f2b 49893->49896 49926 472de8 58 API calls ctype 49894->49926 49924 472de8 58 API calls ctype 49895->49924 49898 472f30 49896->49898 49899 472f8a SetWindowLongA RemovePropA GlobalFindAtomA GlobalDeleteAtom 49896->49899 49902 472fed CallWindowProcA 49898->49902 49903 472f3b 49898->49903 49899->49902 49900 472fd7 49927 472de8 58 API calls ctype 49900->49927 49909 472f76 49902->49909 49921 472de8 58 API calls ctype 49903->49921 49905 472fb4 49925 472ba7 66 API calls 49905->49925 49908 472fdf 49928 472b46 64 API calls 49908->49928 49909->49883 49910 472fc6 49913 472fe9 49910->49913 49911 472f41 49922 472aaa GetWindowRect GetWindowLongA 49911->49922 49913->49902 49913->49909 49915 472f51 CallWindowProcA 49923 472acd 92 API calls 49915->49923 49917->49882 49918->49889 49919->49886 49920->49892 49921->49911 49922->49915 49923->49909 49924->49905 49925->49910 49926->49900 49927->49908 49928->49913 49929 415004 49932 405300 49929->49932 49933 405338 49932->49933 49934 4053bb 49932->49934 49946 4719ba 49933->49946 49936 405340 49949 471b28 49936->49949 49938 40539a 49977 471a6b 49938->49977 49940 405392 49969 471d43 49940->49969 49941 405367 49941->49938 49941->49940 49962 471c7f 49941->49962 49984 4719d0 GetLastError 49946->49984 49948 4719c6 49948->49936 50011 4713a1 49949->50011 49957 471c32 49957->49941 49958 471c0e 49958->49957 49959 471c15 GetLastError 49958->49959 49960 471c24 ctype 49959->49960 49961 471553 ctype 35 API calls 49960->49961 49961->49957 49963 471cc4 49962->49963 49964 471c8d WriteFile 49962->49964 49963->49941 49965 471ca4 GetLastError 49964->49965 49966 471cb3 49964->49966 50095 4767b8 36 API calls ctype 49965->50095 49966->49963 50096 476879 36 API calls 2 library calls 49966->50096 49970 471d51 CloseHandle 49969->49970 49971 471d5f 49969->49971 49970->49971 49972 4713a1 ctype 35 API calls 49971->49972 49973 471d6f 49972->49973 49974 471d75 GetLastError 49973->49974 49975 471d83 49973->49975 50097 4767b8 36 API calls ctype 49974->50097 49975->49938 49980 471a75 __EH_prolog 49977->49980 49978 471a9a 49979 471416 ctype 32 API calls 49978->49979 49981 4053af 49979->49981 49980->49978 49982 471d43 ctype 38 API calls 49980->49982 49983 4719f8 23 API calls 49981->49983 49982->49978 49983->49934 49987 47ada8 49984->49987 49988 47adb1 49987->49988 49989 47adde TlsGetValue 49987->49989 49994 47adcb 49988->49994 50008 47a9a8 RaiseException TlsAlloc InitializeCriticalSection ctype 49988->50008 49990 47adf1 49989->49990 49992 4719e9 SetLastError 49990->49992 49996 47ae04 49990->49996 49992->49948 49998 47aa41 EnterCriticalSection 49994->49998 49995 47addc 49995->49989 50009 47abb0 8 API calls ctype 49996->50009 50002 47aa60 49998->50002 49999 47aaad GlobalHandle GlobalUnlock GlobalReAlloc 50003 47aacf 49999->50003 50000 47aa9a GlobalAlloc 50000->50003 50001 47ab31 LeaveCriticalSection 50001->49995 50002->49999 50002->50000 50007 47ab1c ctype 50002->50007 50004 47aadd GlobalHandle GlobalLock LeaveCriticalSection 50003->50004 50005 47aaf8 GlobalLock 50003->50005 50010 46f596 RaiseException ctype 50004->50010 50005->50007 50007->50001 50008->49994 50009->49992 50012 4713be 50011->50012 50013 4713a9 50011->50013 50015 471e54 50012->50015 50014 471553 ctype 35 API calls 50013->50014 50014->50012 50035 4642c8 50015->50035 50017 471e5e GetFullPathNameA 50018 471e93 50017->50018 50019 471e81 lstrcpynA 50017->50019 50036 471f24 50018->50036 50028 471b60 50019->50028 50022 471ec4 50024 471ed1 50022->50024 50025 471eca CharUpperA 50022->50025 50026 471ed7 FindFirstFileA 50024->50026 50027 471f03 50024->50027 50025->50024 50026->50027 50029 471eec FindClose lstrcpyA 50026->50029 50043 471416 50027->50043 50030 471553 50028->50030 50029->50027 50031 471563 lstrlenA 50030->50031 50032 47155f 50030->50032 50031->50032 50085 4714d6 50032->50085 50034 471573 CreateFileA 50034->49957 50034->49958 50035->50017 50048 4717fa 50036->50048 50038 471f36 ctype 50039 471f42 lstrcpynA 50038->50039 50042 471f55 50039->50042 50054 471849 50042->50054 50044 471426 InterlockedDecrement 50043->50044 50045 47143e 50043->50045 50044->50045 50046 471434 50044->50046 50045->50028 50084 471305 31 API calls ctype 50046->50084 50049 47180d 50048->50049 50050 471841 50049->50050 50059 471283 50049->50059 50050->50038 50052 471824 ctype 50066 47137e 32 API calls ctype 50052->50066 50077 4713bf 50054->50077 50056 471851 50057 471862 GetVolumeInformationA 50056->50057 50058 47185a lstrlenA 50056->50058 50057->50022 50057->50027 50058->50057 50060 47128f 50059->50060 50062 471298 50059->50062 50060->50052 50061 4712a0 50067 460c36 50061->50067 50062->50061 50064 4712df 50062->50064 50074 471157 29 API calls ctype 50064->50074 50066->50050 50075 4642c8 50067->50075 50069 460c40 EnterCriticalSection 50070 460c5e 50069->50070 50071 460c8f LeaveCriticalSection 50069->50071 50076 470c40 29 API calls ctype 50070->50076 50071->50060 50073 460c70 50073->50071 50074->50060 50075->50069 50076->50073 50078 4713cb 50077->50078 50082 4713da ctype 50077->50082 50083 47134d 32 API calls ctype 50078->50083 50080 4713d0 50081 471283 ctype 31 API calls 50080->50081 50081->50082 50082->50056 50083->50080 50084->50045 50088 4713ed 50085->50088 50087 4714e4 ctype 50087->50034 50089 4713fd 50088->50089 50090 471411 50089->50090 50094 47134d 32 API calls ctype 50089->50094 50090->50087 50092 471409 50093 471283 ctype 31 API calls 50092->50093 50093->50090 50094->50092 50095->49966 50097->49975 50098 4730c0 50099 47ada8 ctype 21 API calls 50098->50099 50100 4730d5 50099->50100 50101 4730f5 50100->50101 50102 4730de CallNextHookEx 50100->50102 50131 47a820 50101->50131 50112 4732ad 50102->50112 50105 47312e GetClassLongA 50110 473142 50105->50110 50123 47321d CallNextHookEx 50105->50123 50106 47317a 50108 473182 50106->50108 50109 47322b GetWindowLongA 50106->50109 50136 472e2d 58 API calls ctype 50108->50136 50114 47323b GetPropA 50109->50114 50109->50123 50115 473166 lstrcmpiA 50110->50115 50116 47314f GlobalGetAtomNameA 50110->50116 50111 4732a0 UnhookWindowsHookEx 50111->50112 50117 47324e SetPropA GetPropA 50114->50117 50114->50123 50115->50106 50115->50123 50116->50115 50118 473262 GlobalAddAtomA 50117->50118 50117->50123 50119 473277 50118->50119 50120 47327c SetWindowLongA 50118->50120 50119->50120 50120->50123 50121 473208 50122 47320d SetWindowLongA 50121->50122 50122->50123 50123->50111 50123->50112 50124 47318a 50124->50121 50137 472c1d 50124->50137 50127 4731d4 50128 4731d9 GetWindowLongA 50127->50128 50129 4731f6 50128->50129 50129->50123 50130 4731fa SetWindowLongA 50129->50130 50130->50123 50132 47ada8 ctype 21 API calls 50131->50132 50133 47a82f 50132->50133 50134 473105 50133->50134 50135 47ae3d ctype 7 API calls 50133->50135 50134->50105 50134->50106 50134->50123 50135->50134 50136->50124 50138 472c27 __EH_prolog 50137->50138 50139 47ada8 ctype 21 API calls 50138->50139 50140 472c3f 50139->50140 50141 472c9c 50140->50141 50151 472aaa GetWindowRect GetWindowLongA 50140->50151 50147 473c4a 50141->50147 50145 472cc5 50145->50121 50145->50127 50148 473c6c 50147->50148 50149 472cad 50148->50149 50153 473680 50148->50153 50149->50145 50152 472acd 92 API calls 50149->50152 50151->50141 50152->50145 50154 4736af CallWindowProcA 50153->50154 50156 47368d 50153->50156 50155 4736c2 50154->50155 50155->50149 50156->50154 50157 47369b DefWindowProcA 50156->50157 50157->50155 50158 46490a 50169 4649af 50158->50169 50161 46491b GetCurrentProcess TerminateProcess 50163 46492c 50161->50163 50162 46496e 50164 464996 50162->50164 50165 46499d ExitProcess 50162->50165 50163->50162 50172 4224f0 50163->50172 50186 4649b8 LeaveCriticalSection ctype 50164->50186 50167 46499b 50187 4684f4 50169->50187 50171 464910 50171->50161 50171->50163 50173 422525 50172->50173 50174 42252b 50172->50174 50254 422a60 39 API calls 50173->50254 50176 42253f 50174->50176 50255 471180 50174->50255 50178 422550 50176->50178 50179 422549 CloseHandle 50176->50179 50180 471180 ctype 29 API calls 50178->50180 50179->50178 50181 422560 50180->50181 50182 471180 ctype 29 API calls 50181->50182 50183 42257f 50182->50183 50184 471180 ctype 29 API calls 50183->50184 50185 422595 50184->50185 50185->50163 50186->50167 50188 46850c 50187->50188 50189 46854a EnterCriticalSection 50187->50189 50202 462607 50188->50202 50189->50171 50192 468522 50194 4684f4 ctype 27 API calls 50192->50194 50195 46852a 50194->50195 50196 468531 InitializeCriticalSection 50195->50196 50197 46853b 50195->50197 50199 468540 50196->50199 50206 46251e 50197->50206 50223 468555 LeaveCriticalSection 50199->50223 50201 468548 50201->50189 50224 462619 50202->50224 50205 460e5d 7 API calls ctype 50205->50192 50207 46254c 50206->50207 50208 4625f8 50206->50208 50209 462556 50207->50209 50210 462591 50207->50210 50208->50199 50211 4684f4 ctype 28 API calls 50209->50211 50213 4684f4 ctype 28 API calls 50210->50213 50222 462582 50210->50222 50214 46255d ctype 50211->50214 50212 4625ea RtlFreeHeap 50212->50208 50219 46259d ctype 50213->50219 50215 462577 50214->50215 50250 4697a8 VirtualFree VirtualFree HeapFree ctype 50214->50250 50251 462588 LeaveCriticalSection ctype 50215->50251 50218 4625c9 50253 4625e0 LeaveCriticalSection ctype 50218->50253 50219->50218 50252 46a52f VirtualFree HeapFree VirtualFree ctype 50219->50252 50222->50208 50222->50212 50223->50201 50225 462616 50224->50225 50227 462620 ctype 50224->50227 50225->50192 50225->50205 50227->50225 50228 462645 50227->50228 50229 462672 50228->50229 50231 4626b5 50228->50231 50230 4684f4 ctype 28 API calls 50229->50230 50235 4626a0 50229->50235 50232 462688 50230->50232 50234 4626d7 50231->50234 50231->50235 50246 469ad1 5 API calls __startOneArgErrorHandling 50232->50246 50233 462724 RtlAllocateHeap 50243 4626a7 50233->50243 50237 4684f4 ctype 28 API calls 50234->50237 50235->50233 50235->50243 50239 4626de 50237->50239 50238 462693 50247 4626ac LeaveCriticalSection ctype 50238->50247 50248 46a574 6 API calls 2 library calls 50239->50248 50242 4626f1 50249 46270b LeaveCriticalSection ctype 50242->50249 50243->50227 50245 4626fe 50245->50235 50245->50243 50246->50238 50247->50235 50248->50242 50249->50245 50250->50215 50251->50222 50252->50218 50253->50222 50254->50174 50256 46251e ctype 29 API calls 50255->50256 50257 471189 50256->50257 50257->50176 50258 471cca SetFilePointer 50259 471ce5 GetLastError 50258->50259 50260 471cf3 50258->50260 50262 4767b8 36 API calls ctype 50259->50262 50262->50260 50263 47b8a8 50268 47b8b2 50263->50268 50265 47b8ad 50276 46295b 35 API calls 50265->50276 50267 47b8c6 50269 47b924 GetVersion 50268->50269 50270 47b977 50269->50270 50271 47b965 GetProcessVersion 50269->50271 50277 47735f KiUserCallbackDispatcher GetSystemMetrics 50270->50277 50271->50270 50273 47b97e 50284 47731b 7 API calls 50273->50284 50275 47b988 LoadCursorA LoadCursorA 50275->50265 50276->50267 50278 477385 50277->50278 50279 47737e 50277->50279 50286 47b902 GetSystemMetrics GetSystemMetrics 50278->50286 50285 47b8d2 GetSystemMetrics GetSystemMetrics 50279->50285 50282 47738a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 50282->50273 50283 477383 50283->50282 50284->50275 50285->50283 50286->50282 50287 40f470 50292 412b20 50287->50292 50291 40f481 50293 412b45 GetCurrentThreadId 50292->50293 50294 412b9e 50292->50294 50293->50294 50295 412b53 50293->50295 50357 4116f0 50294->50357 50297 412b80 50295->50297 50298 412b60 IsWindow 50295->50298 50300 40f47a 50297->50300 50301 412b8e ExitProcess 50297->50301 50298->50297 50299 412b6b SendMessageA 50298->50299 50299->50297 50356 47b1d3 39 API calls ctype 50300->50356 50305 405920 2 API calls 50306 412c47 50305->50306 50307 405920 2 API calls 50306->50307 50315 412c52 50307->50315 50308 412caa 50309 412cec 50308->50309 50312 412cd2 50308->50312 50313 412cbd FreeLibrary 50308->50313 50318 4713a1 ctype 35 API calls 50309->50318 50310 412c7e 50311 405920 2 API calls 50310->50311 50316 412c89 50311->50316 50317 405920 2 API calls 50312->50317 50313->50312 50313->50313 50314 412c72 FreeLibrary 50314->50315 50315->50308 50315->50310 50315->50314 50319 405920 2 API calls 50316->50319 50320 412cdd 50317->50320 50321 412cfe 50318->50321 50322 412c94 50319->50322 50323 47058b 32 API calls 50320->50323 50324 412d23 50321->50324 50325 412d16 DestroyIcon 50321->50325 50326 405920 2 API calls 50322->50326 50323->50309 50327 412d3a 50324->50327 50328 412d2d DestroyIcon 50324->50328 50325->50324 50329 412c9f 50326->50329 50331 412d44 IsWindow 50327->50331 50332 412d55 50327->50332 50328->50327 50330 405920 2 API calls 50329->50330 50330->50308 50331->50332 50334 412d4f 50331->50334 50367 4104f0 50332->50367 50411 472d76 50334->50411 50337 412dad 50388 414df0 50337->50388 50340 412e2b 50341 405920 2 API calls 50340->50341 50342 412e36 50341->50342 50345 412e4b 50342->50345 50346 412e3f WSACleanup 50342->50346 50343 412df3 DestroyIcon 50344 412db6 50343->50344 50344->50340 50344->50343 50351 471180 29 API calls ctype 50344->50351 50347 412e57 50345->50347 50348 412e79 50345->50348 50346->50345 50347->50348 50419 412710 63 API calls ctype 50347->50419 50394 47058b 50348->50394 50351->50344 50352 412e88 50353 47058b 32 API calls 50352->50353 50354 412e97 50353->50354 50354->50300 50355 412ea1 CoUninitialize 50354->50355 50355->50300 50356->50291 50358 405920 2 API calls 50357->50358 50359 4116fe 50358->50359 50360 405920 2 API calls 50359->50360 50361 411709 50360->50361 50362 405920 2 API calls 50361->50362 50363 411714 50362->50363 50364 405920 50363->50364 50420 405940 50364->50420 50366 40592c 50366->50305 50375 410528 50367->50375 50368 4105c5 50369 405920 2 API calls 50368->50369 50370 4105d0 50369->50370 50371 405920 2 API calls 50370->50371 50372 4105db 50371->50372 50376 470825 50372->50376 50373 4719f8 23 API calls 50373->50375 50374 4719ba 23 API calls 50374->50375 50375->50368 50375->50373 50375->50374 50377 470835 50376->50377 50378 470841 50377->50378 50379 470858 50377->50379 50380 471180 ctype 29 API calls 50378->50380 50381 470884 50379->50381 50382 47085f 50379->50382 50387 470849 ctype 50380->50387 50381->50387 50427 471157 29 API calls ctype 50381->50427 50426 471157 29 API calls ctype 50382->50426 50385 4708f2 ctype 50386 471180 ctype 29 API calls 50385->50386 50386->50387 50387->50337 50389 414df8 50388->50389 50428 414ec0 50389->50428 50393 414e09 50393->50344 50395 47059b 50394->50395 50396 4705a7 50395->50396 50397 4705cb 50395->50397 50461 470569 32 API calls ctype 50396->50461 50399 4705f5 50397->50399 50400 4705d2 50397->50400 50403 4705fc 50399->50403 50408 470625 50399->50408 50462 471157 29 API calls ctype 50400->50462 50401 4705b2 50404 471180 ctype 29 API calls 50401->50404 50405 4705ba 50403->50405 50463 470569 32 API calls ctype 50403->50463 50404->50405 50405->50352 50464 471157 29 API calls ctype 50408->50464 50409 470667 ctype 50410 471180 ctype 29 API calls 50409->50410 50410->50405 50412 472d80 __EH_prolog 50411->50412 50465 47a846 50412->50465 50414 472d86 ctype 50418 472dc4 ctype 50414->50418 50470 471157 29 API calls ctype 50414->50470 50416 472da8 50416->50418 50471 476dc7 29 API calls 2 library calls 50416->50471 50418->50332 50419->50347 50421 40594a 50420->50421 50422 40599e 50420->50422 50423 405994 RtlFreeHeap 50421->50423 50424 405989 GetProcessHeap 50421->50424 50425 40595e 50421->50425 50422->50366 50423->50422 50424->50423 50425->50366 50426->50387 50427->50385 50429 414ed3 50428->50429 50430 414f0c 50428->50430 50429->50430 50434 414efa WaitForSingleObject 50429->50434 50431 414f18 CloseHandle 50430->50431 50433 414f35 50430->50433 50431->50433 50432 414f56 50452 4104b0 50432->50452 50433->50432 50457 4225c0 39 API calls ctype 50433->50457 50434->50430 50438 437060 50439 437083 50438->50439 50440 437098 EnterCriticalSection 50438->50440 50458 437150 EnterCriticalSection SetEvent LeaveCriticalSection 50439->50458 50442 4370bf 50440->50442 50444 4370f1 LeaveCriticalSection 50442->50444 50459 437860 29 API calls ctype 50442->50459 50443 437088 50443->50393 50460 437150 EnterCriticalSection SetEvent LeaveCriticalSection 50444->50460 50447 437101 50448 437129 50447->50448 50449 43711e WaitForSingleObject 50447->50449 50450 471180 ctype 29 API calls 50448->50450 50449->50447 50451 43712f 50450->50451 50451->50393 50453 405920 2 API calls 50452->50453 50454 4104be 50453->50454 50455 405920 2 API calls 50454->50455 50456 4104c9 50455->50456 50456->50438 50457->50432 50458->50443 50459->50442 50460->50447 50461->50401 50462->50405 50463->50405 50464->50409 50466 47a820 ctype 28 API calls 50465->50466 50467 47a84b 50466->50467 50468 47ada8 ctype 21 API calls 50467->50468 50469 47a85c 50468->50469 50469->50414 50470->50416 50471->50418 50472 4055f0 50475 4053e0 50472->50475 50474 405608 50476 405411 50475->50476 50477 405542 50476->50477 50478 4054b0 50476->50478 50479 4054f1 50476->50479 50477->50474 50486 471157 29 API calls ctype 50478->50486 50487 471157 29 API calls ctype 50479->50487 50482 4054fb 50484 4054b7 50482->50484 50488 41aa00 wsprintfA 50482->50488 50485 471b28 48 API calls 50484->50485 50485->50477 50486->50484 50487->50482 50488->50484 50489 405290 50490 40529c 50489->50490 50491 4052c6 50490->50491 50499 471484 50490->50499 50495 405920 2 API calls 50491->50495 50493 4052b3 50507 405b50 50493->50507 50496 4052f7 50495->50496 50497 4052bd 50498 471416 ctype 32 API calls 50497->50498 50498->50491 50500 471498 50499->50500 50506 4714ab ctype 50499->50506 50501 4714a2 50500->50501 50502 4714ad lstrlenA 50500->50502 50539 476c19 66 API calls ctype 50501->50539 50503 4714ba 50502->50503 50502->50506 50505 471283 ctype 31 API calls 50503->50505 50505->50506 50506->50493 50508 4719ba 23 API calls 50507->50508 50509 405b7e 50508->50509 50510 471b28 48 API calls 50509->50510 50514 405ba7 50510->50514 50511 405c4b 50512 471a6b ctype 39 API calls 50511->50512 50513 405c57 50512->50513 50557 4719f8 23 API calls 50513->50557 50514->50511 50515 405bc6 50514->50515 50516 405c17 50514->50516 50540 405740 50515->50540 50518 405920 2 API calls 50516->50518 50521 405c1e 50518->50521 50519 405bce 50519->50511 50522 405bd2 50519->50522 50524 471a6b ctype 39 API calls 50521->50524 50549 471c45 50522->50549 50523 405c74 50527 405920 2 API calls 50523->50527 50525 405c2a 50524->50525 50556 4719f8 23 API calls 50525->50556 50530 405c7b 50527->50530 50530->50497 50531 405c36 50531->50497 50532 405be2 50554 405810 7 API calls 50532->50554 50533 405bea 50535 471a6b ctype 39 API calls 50533->50535 50536 405bf6 50535->50536 50555 4719f8 23 API calls 50536->50555 50538 405c02 50538->50497 50539->50506 50541 40574c 50540->50541 50544 40575c 50540->50544 50558 405810 7 API calls 50541->50558 50543 405756 50543->50519 50545 4057da RtlAllocateHeap 50544->50545 50546 4057cf GetProcessHeap 50544->50546 50547 405764 50544->50547 50548 4057f1 50545->50548 50546->50545 50547->50519 50548->50519 50550 471c52 ReadFile 50549->50550 50551 405bdc 50549->50551 50550->50551 50552 471c6b GetLastError 50550->50552 50551->50532 50551->50533 50559 4767b8 36 API calls ctype 50552->50559 50554->50533 50555->50538 50556->50531 50557->50523 50558->50543 50559->50551 50560 414fb1 50563 414f90 50560->50563 50566 411da0 50563->50566 50565 414fa1 50567 411e65 50566->50567 50568 411dcb 50566->50568 50569 412106 50567->50569 50572 411e93 50567->50572 50639 4619b8 6 API calls 50567->50639 50570 411dea 50568->50570 50571 411df3 GetProcAddress 50568->50571 50569->50565 50636 4619b8 6 API calls 50570->50636 50576 411e13 50571->50576 50577 411e48 50571->50577 50584 411fd1 50572->50584 50586 411ebe 50572->50586 50637 41a0f0 65 API calls ctype 50576->50637 50577->50565 50579 411fd6 LoadLibraryA 50581 411fe6 GetProcAddress 50579->50581 50579->50584 50580 411e23 50638 412180 132 API calls ctype 50580->50638 50581->50584 50583 41202c 50583->50569 50594 412041 FreeLibrary 50583->50594 50600 412048 50583->50600 50584->50579 50584->50583 50588 412018 FreeLibrary 50584->50588 50585 411e37 50589 471416 ctype 32 API calls 50585->50589 50587 411f9c LoadLibraryA 50586->50587 50590 411f12 50586->50590 50591 411eea 50586->50591 50587->50583 50592 411fa9 GetProcAddress 50587->50592 50588->50584 50589->50577 50626 47165f 50590->50626 50593 47165f 38 API calls 50591->50593 50592->50583 50598 411fb9 50592->50598 50596 411ef6 LoadLibraryA 50593->50596 50594->50600 50599 471416 ctype 32 API calls 50596->50599 50598->50583 50602 411f06 50599->50602 50603 4120b0 50600->50603 50604 412059 50600->50604 50601 47165f 38 API calls 50605 411f3c LoadLibraryA 50601->50605 50602->50590 50602->50592 50642 41a0f0 65 API calls ctype 50603->50642 50640 41a0f0 65 API calls ctype 50604->50640 50608 471416 ctype 32 API calls 50605->50608 50611 411f4c 50608->50611 50609 4120c4 50643 412180 132 API calls ctype 50609->50643 50610 41206e 50641 412180 132 API calls ctype 50610->50641 50614 471416 ctype 32 API calls 50611->50614 50617 411f5d 50614->50617 50615 4120df 50618 471416 ctype 32 API calls 50615->50618 50616 412089 50619 471416 ctype 32 API calls 50616->50619 50617->50592 50620 411f94 50617->50620 50623 47165f 38 API calls 50617->50623 50621 4120f0 50618->50621 50622 41209a 50619->50622 50620->50587 50620->50592 50621->50565 50622->50565 50624 411f84 LoadLibraryA 50623->50624 50625 471416 ctype 32 API calls 50624->50625 50625->50620 50627 471669 __EH_prolog 50626->50627 50628 471684 50627->50628 50629 471688 lstrlenA 50627->50629 50644 4715bb 50628->50644 50629->50628 50631 4716a6 50648 47118b 50631->50648 50634 471416 ctype 32 API calls 50635 411f28 50634->50635 50635->50601 50636->50571 50637->50580 50638->50585 50639->50572 50640->50610 50641->50616 50642->50609 50643->50615 50645 4715cf 50644->50645 50647 4715d5 ctype 50644->50647 50646 471283 ctype 31 API calls 50645->50646 50646->50647 50647->50631 50649 47119a InterlockedIncrement 50648->50649 50650 4711a8 50648->50650 50651 4711b8 50649->50651 50652 471553 ctype 35 API calls 50650->50652 50651->50634 50652->50651 50653 414f70 50656 4368b0 GetProcessHeap 50653->50656 50657 436913 OleInitialize 50656->50657 50658 436925 GetModuleFileNameA 50656->50658 50657->50658 50709 462cf4 50658->50709 50660 436947 50661 436950 50660->50661 50662 43696b 50660->50662 50663 471553 ctype 35 API calls 50661->50663 50664 4713a1 ctype 35 API calls 50662->50664 50665 436967 50663->50665 50664->50665 50666 471553 ctype 35 API calls 50665->50666 50667 43698a SetCurrentDirectoryA 50666->50667 50668 4369ad 50667->50668 50669 4369e1 LoadCursorA GetStockObject 50668->50669 50715 41a190 50669->50715 50674 436a46 50679 436aba 50674->50679 50728 405e50 7 API calls 50674->50728 50676 414f7d 50677 436a8b 50729 405e50 7 API calls 50677->50729 50683 436b7f 50679->50683 50732 405e50 7 API calls 50679->50732 50681 436a99 50730 405e50 7 API calls 50681->50730 50682 436b66 50733 405e50 7 API calls 50682->50733 50683->50676 50686 4719ba 23 API calls 50683->50686 50689 436bab 50686->50689 50687 436aa9 50731 405e50 7 API calls 50687->50731 50734 4782ac 29 API calls 2 library calls 50689->50734 50691 436bee 50735 40e9e0 46 API calls ctype 50691->50735 50693 436c01 50736 478388 32 API calls 2 library calls 50693->50736 50695 436c1a 50737 478b54 39 API calls 2 library calls 50695->50737 50697 436c26 50738 4719f8 23 API calls 50697->50738 50700 436d4c 50701 405920 2 API calls 50700->50701 50702 436d54 50701->50702 50740 40e920 64 API calls ctype 50702->50740 50704 436d6a 50705 405920 2 API calls 50704->50705 50706 436dce 50705->50706 50707 405920 2 API calls 50706->50707 50707->50676 50708 436c2e 50739 40dfa0 7 API calls 50708->50739 50710 462d11 50709->50710 50712 462d02 50709->50712 50711 4684f4 ctype 29 API calls 50710->50711 50713 462d19 50711->50713 50712->50660 50741 468555 LeaveCriticalSection 50713->50741 50716 47a820 ctype 28 API calls 50715->50716 50717 41a19a GetClassInfoA 50716->50717 50718 41a1b2 50717->50718 50719 41a1fa 50717->50719 50742 473987 32 API calls 2 library calls 50718->50742 50721 473344 50719->50721 50722 47a820 ctype 28 API calls 50721->50722 50723 47338e 50722->50723 50727 436a31 GetCurrentThreadId 50723->50727 50743 4732b6 50723->50743 50727->50674 50728->50677 50729->50681 50730->50687 50731->50679 50732->50682 50733->50683 50734->50691 50735->50693 50736->50695 50737->50697 50738->50708 50739->50700 50740->50704 50741->50712 50742->50719 50744 47ada8 ctype 21 API calls 50743->50744 50745 4732c7 50744->50745 50746 4732fa CreateWindowExA 50745->50746 50747 4732d8 GetCurrentThreadId SetWindowsHookExA 50745->50747 50750 473302 50746->50750 50747->50746 50748 4732f5 50747->50748 50757 46f596 RaiseException ctype 50748->50757 50751 47ada8 ctype 21 API calls 50750->50751 50752 473312 50751->50752 50753 47a820 ctype 28 API calls 50752->50753 50754 473319 50753->50754 50755 473326 UnhookWindowsHookEx 50754->50755 50756 473331 50754->50756 50755->50756 50756->50727 50758 4155b0 50759 4155b9 50758->50759 50760 4155de 50758->50760 50759->50760 50761 4155cb RtlFreeHeap 50759->50761 50761->50760 50762 460d55 GetVersion 50794 465e36 HeapCreate 50762->50794 50764 460db3 50765 460dc0 50764->50765 50766 460db8 50764->50766 50806 465bf3 37 API calls __startOneArgErrorHandling 50765->50806 50814 460e82 8 API calls ctype 50766->50814 50770 460dc5 50771 460dd1 50770->50771 50772 460dc9 50770->50772 50807 465a37 34 API calls ctype 50771->50807 50815 460e82 8 API calls ctype 50772->50815 50776 460ddb GetCommandLineA 50808 465905 37 API calls ctype 50776->50808 50778 460deb 50816 4656b8 49 API calls ctype 50778->50816 50780 460df5 50809 4655ff 48 API calls ctype 50780->50809 50782 460dfa 50783 460dff GetStartupInfoA 50782->50783 50810 4655a7 48 API calls 50783->50810 50785 460e11 50786 460e1a 50785->50786 50787 460e23 GetModuleHandleA 50786->50787 50811 46efe6 50787->50811 50791 460e3e 50818 46542f 36 API calls __startOneArgErrorHandling 50791->50818 50793 460e4f 50795 465e56 50794->50795 50796 465e8c 50794->50796 50819 465cee 57 API calls 50795->50819 50796->50764 50798 465e5b 50799 465e65 50798->50799 50801 465e72 50798->50801 50820 469735 HeapAlloc 50799->50820 50802 465e8f 50801->50802 50821 46a27c 5 API calls ctype 50801->50821 50802->50764 50803 465e6f 50803->50802 50805 465e80 HeapDestroy 50803->50805 50805->50796 50806->50770 50807->50776 50808->50778 50809->50782 50810->50785 50822 4773b7 50811->50822 50816->50780 50817 4648e8 43 API calls 50817->50791 50818->50793 50819->50798 50820->50803 50821->50803 50833 476121 50822->50833 50825 47a820 ctype 28 API calls 50826 4773c9 50825->50826 50838 47b604 SetErrorMode SetErrorMode 50826->50838 50830 460e35 50830->50817 50831 4773fe 50849 47bc9f 60 API calls ctype 50831->50849 50832 471283 31 API calls 50832->50831 50834 47a846 ctype 28 API calls 50833->50834 50835 476126 50834->50835 50836 476132 50835->50836 50837 47a820 ctype 28 API calls 50835->50837 50836->50825 50837->50836 50839 47a820 ctype 28 API calls 50838->50839 50840 47b61b 50839->50840 50841 47a820 ctype 28 API calls 50840->50841 50842 47b62a 50841->50842 50843 47b650 50842->50843 50850 47b667 50842->50850 50845 47a820 ctype 28 API calls 50843->50845 50846 47b655 50845->50846 50847 4773e1 50846->50847 50869 476136 50846->50869 50847->50831 50847->50832 50849->50830 50851 47a820 ctype 28 API calls 50850->50851 50852 47b67a GetModuleFileNameA 50851->50852 50853 462cf4 29 API calls 50852->50853 50854 47b6ac 50853->50854 50880 47b784 lstrlenA lstrcpynA 50854->50880 50856 47b6c8 50857 47b6de 50856->50857 50885 463f61 29 API calls ctype 50856->50885 50868 47b718 50857->50868 50881 476c9d 50857->50881 50860 47b730 lstrcpyA 50887 463f61 29 API calls ctype 50860->50887 50862 47b75a lstrcatA 50888 463f61 29 API calls ctype 50862->50888 50863 47b74b 50863->50862 50866 47b778 50863->50866 50866->50843 50868->50860 50868->50863 50870 47a820 ctype 28 API calls 50869->50870 50871 47613b 50870->50871 50879 476193 50871->50879 50889 47a5f3 50871->50889 50874 47ae3d ctype 7 API calls 50875 476171 50874->50875 50876 47a820 ctype 28 API calls 50875->50876 50878 47617e 50875->50878 50876->50878 50877 47ada8 ctype 21 API calls 50877->50879 50878->50877 50879->50847 50880->50856 50882 47a820 ctype 28 API calls 50881->50882 50883 476ca3 LoadStringA 50882->50883 50884 476cbe 50883->50884 50886 463f61 29 API calls ctype 50884->50886 50885->50857 50886->50868 50887->50863 50888->50866 50890 47ada8 ctype 21 API calls 50889->50890 50891 476147 GetCurrentThreadId SetWindowsHookExA 50890->50891 50891->50874 50892 472e94 50893 472ea6 50892->50893 50894 472ea1 50892->50894 50900 472e0f 50893->50900 50896 472eaf 50897 472eca DefWindowProcA 50896->50897 50898 472eb8 50896->50898 50897->50894 50899 472c1d 95 API calls 50898->50899 50899->50894 50901 472d76 ctype 57 API calls 50900->50901 50902 472e16 ctype 50901->50902 50902->50896 50903 473633 50904 473640 50903->50904 50905 47363c 50903->50905 50906 472d76 ctype 57 API calls 50904->50906 50907 473649 ctype 50906->50907 50908 47365d DestroyWindow 50907->50908 50909 473668 50907->50909 50908->50909 50910 47367a 50909->50910 50912 472e66 57 API calls ctype 50909->50912 50912->50910 50913 46f01c 50920 47aebd 7 API calls 50913->50920 50915 46f025 50921 47ba37 DeleteCriticalSection DeleteCriticalSection 50915->50921 50917 46f02a 50918 47aef7 50917->50918 50922 47a9ea 50917->50922 50920->50915 50921->50917 50923 47a9f5 TlsFree 50922->50923 50924 47a9fc 50922->50924 50923->50924 50925 47aa16 50924->50925 50929 47acb6 EnterCriticalSection LeaveCriticalSection LocalFree TlsSetValue 50924->50929 50927 47aa34 DeleteCriticalSection 50925->50927 50928 47aa1d GlobalHandle GlobalUnlock GlobalFree 50925->50928 50927->50918 50928->50927 50929->50924 50930 40fe1b 50931 40fe23 50930->50931 50932 40fe35 50930->50932 50937 4154b0 RtlAllocateHeap 50931->50937 50941 415400 HeapAlloc 50932->50941 50935 40fe2d 50936 40fe3f 50936->50935 50938 4154d0 50937->50938 50939 4154d9 50937->50939 50942 412140 133 API calls 50938->50942 50939->50935 50941->50936 50942->50939

                                                                                Executed Functions

                                                                                Function 00412B20 Relevance: 18.3, APIs: 12, Instructions: 273windowthreadnetworkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 393 412b20-412b43 394 412b45-412b51 GetCurrentThreadId 393->394 395 412b9e-412bd1 call 4116f0 393->395 394->395 396 412b53-412b5e 394->396 405 412bd3-412be4 395->405 406 412bff-412c17 call 405920 395->406 398 412b80-412b88 396->398 399 412b60-412b69 IsWindow 396->399 402 412eb1-412eb7 398->402 403 412b8e-412b8f ExitProcess 398->403 399->398 401 412b6b-412b7a SendMessageA 399->401 401->398 408 412bf7-412bfd 405->408 409 412be6-412bf4 405->409 411 412c19-412c24 406->411 412 412c3c-412c5d call 405920 * 2 406->412 408->405 408->406 409->408 414 412c37-412c3a 411->414 415 412c26-412c32 411->415 420 412caa-412cb5 412->420 421 412c5f-412c63 412->421 414->411 414->412 415->414 422 412cb7-412cbb 420->422 423 412cec-412d14 call 411d80 call 4713a1 420->423 424 412c65-412c70 421->424 425 412c7e-412ca5 call 405920 * 4 421->425 428 412cd2-412ce7 call 405920 call 47058b 422->428 429 412cbd-412cd0 FreeLibrary 422->429 441 412d23-412d2b 423->441 442 412d16-412d1d DestroyIcon 423->442 430 412c72-412c73 FreeLibrary 424->430 431 412c79-412c7c 424->431 425->420 428->423 429->428 429->429 430->431 431->424 431->425 444 412d3a-412d42 441->444 445 412d2d-412d34 DestroyIcon 441->445 442->441 448 412d44-412d4d IsWindow 444->448 449 412d6e-412d82 call 4104f0 444->449 445->444 448->449 451 412d4f-412d57 call 472d76 448->451 454 412d84-412d8f 449->454 455 412d9f-412dbc call 470825 call 414df0 449->455 460 412d59-412d5f 451->460 461 412d68 451->461 457 412d91-412d97 454->457 458 412d9a-412d9d 454->458 466 412dc2 455->466 467 412dbe-412dc0 455->467 457->458 458->454 458->455 460->461 461->449 468 412dc8-412dd3 466->468 467->468 469 412dd5-412dd8 468->469 470 412e2b-412e3d call 405920 468->470 471 412ddb-412ddf 469->471 478 412e4b-412e55 470->478 479 412e3f-412e45 WSACleanup 470->479 473 412de1-412df1 471->473 474 412e19-412e29 471->474 476 412df3-412dfa DestroyIcon 473->476 477 412dfd-412e02 473->477 474->470 474->471 476->477 482 412e10-412e16 call 471180 477->482 483 412e04-412e0d call 471180 477->483 480 412e57-412e77 call 412710 478->480 481 412e79-412e9f call 47058b * 2 478->481 479->478 480->481 481->402 494 412ea1-412ea7 CoUninitialize 481->494 482->474 483->482 494->402
                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00412B45
                                                                                • IsWindow.USER32(00000000), ref: 00412B61
                                                                                • SendMessageA.USER32(00000000,000083E7,00412451,00000000), ref: 00412B7A
                                                                                • ExitProcess.KERNEL32 ref: 00412B8F
                                                                                • FreeLibrary.KERNEL32(?), ref: 00412C73
                                                                                • FreeLibrary.KERNEL32 ref: 00412CC7
                                                                                • DestroyIcon.USER32(00000000), ref: 00412D17
                                                                                • DestroyIcon.USER32(00000000), ref: 00412D2E
                                                                                • IsWindow.USER32(00000000), ref: 00412D45
                                                                                • DestroyIcon.USER32(?,00000001,00000000,000000FF), ref: 00412DF4
                                                                                • WSACleanup.WS2_32 ref: 00412E3F
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DestroyIcon$FreeLibraryWindow$CleanupCurrentExitMessageProcessSendThread
                                                                                • String ID:
                                                                                • API String ID: 3816745216-0
                                                                                • Opcode ID: fc41dee945cba4ad6fcca4ca756a7c5a508226ca7758bda3985d190047640c18
                                                                                • Instruction ID: ed209e40a7f129c8e06348e0a1b8d639cb71a344ac6e59fa71ce80ba406a64ea
                                                                                • Opcode Fuzzy Hash: fc41dee945cba4ad6fcca4ca756a7c5a508226ca7758bda3985d190047640c18
                                                                                • Instruction Fuzzy Hash: F1B189B02007029BC724DF69DAC5BEBB3E4BF48314F40492EE59AD7291DB74B991CB58
                                                                                Function 004368B0 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370commemorythreadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 495 4368b0-436911 GetProcessHeap 496 436913-43691b OleInitialize 495->496 497 436925-43694e GetModuleFileNameA call 462cf4 495->497 496->497 500 436950-436969 call 471553 497->500 501 43696b-43697e call 4713a1 497->501 506 43697f-436a2c call 471553 SetCurrentDirectoryA call 4241f0 * 3 LoadCursorA GetStockObject call 41a190 call 473344 500->506 501->506 518 436a31-436a44 GetCurrentThreadId 506->518 519 436a46-436a5f 518->519 520 436a65-436a6d 518->520 519->520 521 436b13-436b1d 520->521 522 436a73-436abe call 405e50 * 4 520->522 523 436b7f-436b85 521->523 524 436b1f-436b23 521->524 551 436ae2-436ae6 522->551 552 436ac0-436acb 522->552 528 436de4-436df4 523->528 529 436b8b-436c4d call 405720 call 4719ba call 478acb call 478b17 call 4782ac call 40e9e0 call 478410 call 478388 call 478b54 call 4719f8 523->529 526 436b25-436b2f 524->526 527 436b4d-436b7a call 405e50 * 2 524->527 532 436b31-436b36 526->532 533 436b48-436b4b 526->533 527->523 573 436c53-436c56 529->573 574 436d3a-436ddf call 40dfa0 call 405920 call 40e920 call 405920 * 2 529->574 532->533 537 436b38-436b42 532->537 533->526 533->527 537->533 551->521 556 436ae8-436af3 551->556 554 436add-436ae0 552->554 555 436acd-436ad5 552->555 554->551 554->552 555->554 558 436ad7-436ada 555->558 559 436af5-436b06 556->559 560 436b0e-436b11 556->560 558->554 559->560 562 436b08-436b0b 559->562 560->521 560->556 562->560 576 436c59-436c65 573->576 574->528 578 436d24-436d34 576->578 579 436c6b 576->579 578->574 578->576 581 436c6e-436c85 call 40d940 call 40e020 579->581 591 436c87-436cac call 406170 * 3 581->591 592 436cbf-436cfa call 406170 * 3 581->592 607 436cb7-436cbd 591->607 608 436cae-436cb5 591->608 609 436d18-436d1e 592->609 610 436cfc-436d01 592->610 607->609 608->609 609->578 609->581 611 436d03-436d0a 610->611 612 436d0c 610->612 613 436d12-436d16 611->613 612->613 613->609 613->610
                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32 ref: 004368D9
                                                                                • OleInitialize.OLE32(00000000), ref: 00436915
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00436933
                                                                                • SetCurrentDirectoryA.KERNELBASE(00995B50,?), ref: 0043698D
                                                                                • LoadCursorA.USER32(00000000,00007F00), ref: 004369E8
                                                                                • GetStockObject.GDI32(00000005), ref: 00436A09
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00436A31
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Current$CursorDirectoryFileHeapInitializeLoadModuleNameObjectProcessStockThread
                                                                                • String ID: _EL_HideOwner$H
                                                                                • API String ID: 3783217854-2140555221
                                                                                • Opcode ID: d79f3ec82efd9eebe0b2e66ddaa75544693db9cf740bc9bd72d0af303867b13d
                                                                                • Instruction ID: 8804ab0bc15efdc6dfd84aaac6fe857ae88efd8b79df5c953382c4619605bb5e
                                                                                • Opcode Fuzzy Hash: d79f3ec82efd9eebe0b2e66ddaa75544693db9cf740bc9bd72d0af303867b13d
                                                                                • Instruction Fuzzy Hash: ADE1C370A00215AFCB54DF55CC81BEEB7B4FF48304F15816EE909A7292DB786945CFA8
                                                                                Function 00471E54 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 72stringfileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 641 471e54-471e7f call 4642c8 GetFullPathNameA 644 471e93-471ec2 call 471f24 GetVolumeInformationA 641->644 645 471e81-471e8e lstrcpynA 641->645 649 471f06-471f12 call 471416 644->649 650 471ec4-471ec8 644->650 646 471f14-471f21 645->646 649->646 652 471ed1-471ed5 650->652 653 471eca-471ecb CharUpperA 650->653 654 471ed7-471eea FindFirstFileA 652->654 655 471f03-471f05 652->655 653->652 654->655 657 471eec-471efd FindClose lstrcpyA 654->657 655->649 657->655
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 00471E59
                                                                                • GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?), ref: 00471E77
                                                                                • lstrcpynA.KERNEL32(?,?,00000104), ref: 00471E86
                                                                                • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00471EBA
                                                                                • CharUpperA.USER32(?), ref: 00471ECB
                                                                                • FindFirstFileA.KERNEL32(?,?), ref: 00471EE1
                                                                                • FindClose.KERNEL32(00000000), ref: 00471EED
                                                                                • lstrcpyA.KERNEL32(?,?), ref: 00471EFD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$CharCloseFileFirstFullH_prologInformationNamePathUpperVolumelstrcpylstrcpyn
                                                                                • String ID: \VO
                                                                                • API String ID: 304730633-2422581269
                                                                                • Opcode ID: 250a0445023347aa0dfd9e5b24a9585397951416ed4b89414bf21412460573f5
                                                                                • Instruction ID: e2d836120a05c0c4c6c4e345ef4b6637e263a4b4f97f833c06cf321b42ac82b3
                                                                                • Opcode Fuzzy Hash: 250a0445023347aa0dfd9e5b24a9585397951416ed4b89414bf21412460573f5
                                                                                • Instruction Fuzzy Hash: 56218B71500118BBCB50AF69DC48EEF7FBCEF05765F00852AF919E61A0D7748A49CBA8
                                                                                Function 00411DA0 Relevance: 15.3, APIs: 10, Instructions: 287libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 658 411da0-411dc5 659 411e65-411e74 658->659 660 411dcb-411dd6 658->660 663 412129-41213a 659->663 664 411e7a-411e8a 659->664 661 411de5-411de8 660->661 662 411dd8-411de2 660->662 665 411dea-411dfb call 4619b8 661->665 666 411dfd 661->666 662->661 667 411e9b-411eb8 call 4060a0 664->667 668 411e8c-411e96 call 4619b8 664->668 671 411dff-411e11 GetProcAddress 665->671 666->671 680 411fd1 667->680 681 411ebe-411ed1 call 462bf0 667->681 668->667 675 411e13-411e43 call 41a0f0 call 412180 call 471416 671->675 676 411e48-411e62 call 411d80 671->676 675->676 683 411fd6-411fe4 LoadLibraryA 680->683 694 411ed7-411ee8 681->694 695 411f9c-411fa3 LoadLibraryA 681->695 686 412021-41202a 683->686 687 411fe6-411ff4 GetProcAddress 683->687 686->683 690 41202c-412037 686->690 691 411ff6-412001 687->691 692 41200c-412016 687->692 700 412106-412108 690->700 701 41203d-41203f 690->701 691->692 703 412003-412009 691->703 692->690 696 412018-41201f FreeLibrary 692->696 698 411f12-411f5f call 47165f * 2 LoadLibraryA call 471416 * 2 694->698 699 411eea-411f08 call 47165f LoadLibraryA call 471416 694->699 695->690 702 411fa9-411fb7 GetProcAddress 695->702 696->686 698->702 738 411f61-411f72 698->738 699->702 724 411f0e 699->724 708 412120-412126 700->708 709 41210a-412115 700->709 705 412041-412042 FreeLibrary 701->705 706 412048-412057 call 4060a0 701->706 702->690 710 411fb9-411fc4 702->710 703->692 705->706 720 4120b0-412103 call 41a0f0 call 412180 call 471416 706->720 721 412059-4120ad call 41a0f0 call 412180 call 471416 706->721 708->663 709->708 714 412117-41211d 709->714 710->690 715 411fc6-411fcf 710->715 714->708 715->690 724->698 739 411f94-411f96 738->739 740 411f74-411f8f call 47165f LoadLibraryA call 471416 738->740 739->702 744 411f98 739->744 740->739 744->695
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(00000000,004F565C), ref: 00411E07
                                                                                • LoadLibraryA.KERNEL32(?,?,005059A0), ref: 00411EF9
                                                                                • LoadLibraryA.KERNELBASE(?,?), ref: 00411F3F
                                                                                • LoadLibraryA.KERNELBASE(?,?,005058A8,00000001), ref: 00411F87
                                                                                • LoadLibraryA.KERNEL32(00000001), ref: 00411F9D
                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00411FAF
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00412042
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Library$Load$AddressProc$Free
                                                                                • String ID:
                                                                                • API String ID: 3120990465-0
                                                                                • Opcode ID: 513afeef5074f3d166d04eaed78ac9274e8bce46a1b8fdbab1b97387d589b2ab
                                                                                • Instruction ID: 34074fbb2955a925b5db9b3ed9c0f686751b5b5fe198d3a3d7c9af2530035692
                                                                                • Opcode Fuzzy Hash: 513afeef5074f3d166d04eaed78ac9274e8bce46a1b8fdbab1b97387d589b2ab
                                                                                • Instruction Fuzzy Hash: 8CA1E2B1600701ABC710DF69C880FABB3A9FF98314F044A2EF91597351EB78E955CB99
                                                                                Function 0047B8B2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 869 47b8b2-47b963 GetVersion 871 47b977-47b979 call 47735f 869->871 872 47b965-47b974 GetProcessVersion 869->872 874 47b97e-47b9be call 47731b LoadCursorA * 2 871->874 872->871
                                                                                APIs
                                                                                • GetVersion.KERNEL32(?,?,?,0047B8AD), ref: 0047B929
                                                                                • GetProcessVersion.KERNELBASE(00000000,?,?,?,0047B8AD), ref: 0047B966
                                                                                • LoadCursorA.USER32(00000000,00007F02), ref: 0047B994
                                                                                • LoadCursorA.USER32(00000000,00007F00), ref: 0047B99F
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CursorLoadVersion$Process
                                                                                • String ID:
                                                                                • API String ID: 2246821583-0
                                                                                • Opcode ID: 5e5b1153eeb0fdd7f57a8ef4763f55774ae725b07277aabe53bbb24c3734d48a
                                                                                • Instruction ID: 6c39a0846d3fef1b3143a56e2f5ac529bf7189dfd17a8d9ba47eacf88b8ac09b
                                                                                • Opcode Fuzzy Hash: 5e5b1153eeb0fdd7f57a8ef4763f55774ae725b07277aabe53bbb24c3734d48a
                                                                                • Instruction Fuzzy Hash: E8118CB1A04B508FD7649F3A888466ABBE5FB487047404D3FE28BC6B80D778E444CB54
                                                                                Function 004730C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 170stringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 0047ADA8: TlsGetValue.KERNEL32(00000000,?,00000000,0047A82F,0047A12E,0047A84B,00476126,004773C2,?,00000000,?,0046EFFB,00000000,00000000,00000000,00000000), ref: 0047ADE7
                                                                                • CallNextHookEx.USER32(?,00000003,?,?), ref: 004730EA
                                                                                • GetClassLongA.USER32(?,000000E6), ref: 00473131
                                                                                • GlobalGetAtomNameA.KERNEL32(?,?,00000005,?,?,?,Function_0007A12E), ref: 0047315D
                                                                                • lstrcmpiA.KERNEL32(?,ime), ref: 0047316C
                                                                                • GetWindowLongA.USER32(?,000000FC), ref: 004731DF
                                                                                • SetWindowLongA.USER32(?,000000FC,00000000), ref: 00473200
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
                                                                                • String ID: AfxOldWndProc423$ime
                                                                                • API String ID: 3731301195-104836986
                                                                                • Opcode ID: 2e983d77c2a03f10d8cb725a24ab419e24c313823d404b9e3c25b7802a51bef5
                                                                                • Instruction ID: 6880a93f6bd5ed6240d2831a439a11e96adb5b859c02c6a42a55166419180949
                                                                                • Opcode Fuzzy Hash: 2e983d77c2a03f10d8cb725a24ab419e24c313823d404b9e3c25b7802a51bef5
                                                                                • Instruction Fuzzy Hash: E551AF31500215AFCB619F64DC48BEF7B78FF04362F108A6AF919A6291D738DA449B98
                                                                                Function 00472EE5 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 00472EEA
                                                                                • GetPropA.USER32(?,AfxOldWndProc423), ref: 00472F02
                                                                                • CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 00472F60
                                                                                  • Part of subcall function 00472ACD: GetWindowRect.USER32(?,?), ref: 00472AF2
                                                                                  • Part of subcall function 00472ACD: GetWindow.USER32(?,00000004), ref: 00472B0F
                                                                                • SetWindowLongA.USER32(?,000000FC,?), ref: 00472F90
                                                                                • RemovePropA.USER32(?,AfxOldWndProc423), ref: 00472F98
                                                                                • GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 00472F9F
                                                                                • GlobalDeleteAtom.KERNEL32(00000000), ref: 00472FA6
                                                                                  • Part of subcall function 00472AAA: GetWindowRect.USER32(?,?), ref: 00472AB6
                                                                                • CallWindowProcA.USER32(?,?,?,?,00000000), ref: 00472FFA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
                                                                                • String ID: AfxOldWndProc423
                                                                                • API String ID: 2397448395-1060338832
                                                                                • Opcode ID: f22f113e3dde3307ab3ca09679022cab68260f7e4203eb20a34b604b1cc95a19
                                                                                • Instruction ID: 491336db4d836909bdc583da2acb2e32ad713a9b87e3151a749543183b637f12
                                                                                • Opcode Fuzzy Hash: f22f113e3dde3307ab3ca09679022cab68260f7e4203eb20a34b604b1cc95a19
                                                                                • Instruction Fuzzy Hash: F6316E3280014ABBCB519FA5DE49EFF7B78EF45311F00852BF905B1160CBB98915ABA9
                                                                                Function 0047AA41 Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 747 47aa41-47aa5e EnterCriticalSection 748 47aa60-47aa67 747->748 749 47aa6d-47aa72 747->749 748->749 752 47ab26-47ab29 748->752 750 47aa74-47aa77 749->750 751 47aa8f-47aa98 749->751 753 47aa7a-47aa7d 750->753 754 47aaad-47aac9 GlobalHandle GlobalUnlock GlobalReAlloc 751->754 755 47aa9a-47aaab GlobalAlloc 751->755 756 47ab31-47ab52 LeaveCriticalSection 752->756 757 47ab2b-47ab2e 752->757 758 47aa87-47aa89 753->758 759 47aa7f-47aa85 753->759 760 47aacf-47aadb 754->760 755->760 757->756 758->751 758->752 759->753 759->758 761 47aadd-47aaf3 GlobalHandle GlobalLock LeaveCriticalSection call 46f596 760->761 762 47aaf8-47ab25 GlobalLock call 464410 760->762 761->762 762->752
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(0000001C,0051A4BC,00000000,?,00000000,00000000,0047ADDC,?,00000000,0047A82F,0047A12E,0047A84B,00476126,004773C2,?,00000000), ref: 0047AA50
                                                                                • GlobalAlloc.KERNELBASE(00002002,?,?,?,00000000,00000000,0047ADDC,?,00000000,0047A82F,0047A12E,0047A84B,00476126,004773C2,?,00000000), ref: 0047AAA5
                                                                                • GlobalHandle.KERNEL32(?), ref: 0047AAAE
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0047AAB7
                                                                                • GlobalReAlloc.KERNEL32(00000000,?,00002002), ref: 0047AAC9
                                                                                • GlobalHandle.KERNEL32(?), ref: 0047AAE0
                                                                                • GlobalLock.KERNEL32(00000000), ref: 0047AAE7
                                                                                • LeaveCriticalSection.KERNEL32(00460E35,?,?,00000000,00000000,0047ADDC,?,00000000,0047A82F,0047A12E,0047A84B,00476126,004773C2,?,00000000), ref: 0047AAED
                                                                                • GlobalLock.KERNEL32(00000000), ref: 0047AAFC
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 0047AB45
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                                                                • String ID:
                                                                                • API String ID: 2667261700-0
                                                                                • Opcode ID: d2da1497d1eb3a8d51fa8c30149ae54d21f31adcd1d206f2434826fa0c3674a3
                                                                                • Instruction ID: e02098a53a8d224c5ce4e9feec46aa09f55cd2b02725fb867840a00eca976d61
                                                                                • Opcode Fuzzy Hash: d2da1497d1eb3a8d51fa8c30149ae54d21f31adcd1d206f2434826fa0c3674a3
                                                                                • Instruction Fuzzy Hash: A2318F712103069FD7649F28DD89A6EB7E9FF84305B004A2EE866C3661E7B5EC18CB15
                                                                                Function 00404B00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97processsynchronizationCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 766 404b00-404b28 767 404b31-404b37 766->767 768 404b2a-404b2f 766->768 770 404b46 767->770 771 404b39-404b3b 767->771 769 404b4b-404b57 768->769 774 404b62-404b65 769->774 775 404b59-404b60 769->775 770->769 772 404b41-404b44 771->772 773 404b3d-404b3f 771->773 772->769 772->770 773->769 776 404b67-404b6c 774->776 777 404b6e-404b71 774->777 778 404b9c-404bbf CreateProcessA 775->778 776->778 779 404b73-404b7a 777->779 780 404b7c-404b7f 777->780 781 404bc1-404bc6 778->781 782 404c07-404c16 778->782 779->778 783 404b81-404b88 780->783 784 404b8a-404b97 780->784 785 404bd7-404be1 WaitForInputIdle 781->785 786 404bc8-404bd5 WaitForSingleObject 781->786 783->778 784->778 787 404be7-404c06 CloseHandle * 2 785->787 786->787
                                                                                APIs
                                                                                • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00404BB7
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404BCF
                                                                                • WaitForInputIdle.USER32(?,000003E8), ref: 00404BE1
                                                                                • CloseHandle.KERNEL32(?), ref: 00404BF2
                                                                                • CloseHandle.KERNEL32(?), ref: 00404BF9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandleWait$CreateIdleInputObjectProcessSingle
                                                                                • String ID: D
                                                                                • API String ID: 2811420030-2746444292
                                                                                • Opcode ID: 8c36289742db271d9597d0151303ee485bae3b94c8a109f5ad2841c7005251b6
                                                                                • Instruction ID: 4800e99da33befc981ce3e61ea2ee6a938ed7aef0e2fa5e2553b35add5d39a6c
                                                                                • Opcode Fuzzy Hash: 8c36289742db271d9597d0151303ee485bae3b94c8a109f5ad2841c7005251b6
                                                                                • Instruction Fuzzy Hash: CD317AB56183009BD720CB58C880B6BB7F9EFD5710F20492EE742E7390E679E885874A
                                                                                Function 0047735F Relevance: 9.0, APIs: 6, Instructions: 35COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • KiUserCallbackDispatcher.NTDLL(0000000B), ref: 0047736C
                                                                                • GetSystemMetrics.USER32(0000000C), ref: 00477373
                                                                                • GetDC.USER32(00000000), ref: 0047738C
                                                                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 0047739D
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004773A5
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 004773AD
                                                                                  • Part of subcall function 0047B8D2: GetSystemMetrics.USER32(00000002), ref: 0047B8E4
                                                                                  • Part of subcall function 0047B8D2: GetSystemMetrics.USER32(00000003), ref: 0047B8EE
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
                                                                                • String ID:
                                                                                • API String ID: 1031845853-0
                                                                                • Opcode ID: 1fc35bbbae7d875fac6e2ada646fa520c7d48b04296a918ee672234aa0e3743b
                                                                                • Instruction ID: 16558e80cbd38ea90b8fd558514f22ed0b711af765a49fb7a85cdb4b0af4c51f
                                                                                • Opcode Fuzzy Hash: 1fc35bbbae7d875fac6e2ada646fa520c7d48b04296a918ee672234aa0e3743b
                                                                                • Instruction Fuzzy Hash: 4CF09071640700AEE3206B729C49F5B77A8EB80B55F10882EF705462D0CA789804CFA5
                                                                                Function 0047A9EA Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 795 47a9ea-47a9f3 796 47a9f5-47a9f6 TlsFree 795->796 797 47a9fc-47aa01 795->797 796->797 798 47aa16-47aa1b 797->798 799 47aa03-47aa14 call 47acb6 797->799 801 47aa34-47aa40 DeleteCriticalSection 798->801 802 47aa1d-47aa2e GlobalHandle GlobalUnlock GlobalFree 798->802 799->798 802->801
                                                                                APIs
                                                                                • TlsFree.KERNELBASE(00000000,?,?,0047AEF7,00000000,00000001), ref: 0047A9F6
                                                                                • GlobalHandle.KERNEL32(?), ref: 0047AA1E
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0047AA27
                                                                                • GlobalFree.KERNEL32(00000000), ref: 0047AA2E
                                                                                • DeleteCriticalSection.KERNEL32(-0000001C,?,?,0047AEF7,00000000,00000001), ref: 0047AA38
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Global$Free$CriticalDeleteHandleSectionUnlock
                                                                                • String ID:
                                                                                • API String ID: 2159622880-0
                                                                                • Opcode ID: 4a13c486143662dd6b767ee1eb0da0e1f6837a005705944876f0ed88e43ba506
                                                                                • Instruction ID: dcd1059b747a0afa85221aac36c627a8f5c927b0762f100974e2db4ea426ce27
                                                                                • Opcode Fuzzy Hash: 4a13c486143662dd6b767ee1eb0da0e1f6837a005705944876f0ed88e43ba506
                                                                                • Instruction Fuzzy Hash: B5F05E362102005BC761AB28AD4CA6F77ADAFC4721B19892EF849D3251DB78DC19876A
                                                                                Function 0046490A Relevance: 4.6, APIs: 3, Instructions: 51COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 877 46490a-464919 call 4649af 880 46492c-464942 877->880 881 46491b-464926 GetCurrentProcess TerminateProcess 877->881 882 464944-46494b 880->882 883 464980-464994 call 4649c1 880->883 881->880 884 46496f-46497f call 4649c1 882->884 885 46494d-464959 882->885 894 464996-46499c call 4649b8 883->894 895 46499d-4649a7 ExitProcess 883->895 884->883 887 46496e 885->887 888 46495b-46495f 885->888 887->884 891 464963-46496c 888->891 892 464961 call 4224f0 888->892 891->887 891->888 892->891
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(?,?,004648F5,?,00000000,00000000,00460E3E,00000000,00000000), ref: 0046491F
                                                                                • TerminateProcess.KERNEL32(00000000,?,004648F5,?,00000000,00000000,00460E3E,00000000,00000000), ref: 00464926
                                                                                • ExitProcess.KERNEL32 ref: 004649A7
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CurrentExitTerminate
                                                                                • String ID:
                                                                                • API String ID: 1703294689-0
                                                                                • Opcode ID: 54bbf2e7f443ae49808b0db6eef1b284b95be4c7f44daac54fc168cb6809af08
                                                                                • Instruction ID: e07052747d2a2fcd890ff4c6b92e3c4d5fc3665f7edb3651b17f7257a16e99fc
                                                                                • Opcode Fuzzy Hash: 54bbf2e7f443ae49808b0db6eef1b284b95be4c7f44daac54fc168cb6809af08
                                                                                • Instruction Fuzzy Hash: EF0148B2284201DAEE11AB39FC8969FBBE4ABD0310B10841FF08452151EB39588E9B1F
                                                                                Function 00471B28 Relevance: 3.1, APIs: 2, Instructions: 107fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 899 471b28-471b77 call 4713a1 call 471e54 call 471553 906 471b8d 899->906 907 471b79-471b7a 899->907 908 471b92-471b9a 906->908 909 471b86-471b8b 907->909 910 471b7c-471b7d 907->910 911 471bbd 908->911 912 471b9c-471b9f 908->912 909->908 910->908 913 471b7f-471b84 910->913 915 471bbf-471bdc 911->915 912->911 914 471ba1-471ba4 912->914 913->908 916 471ba6-471ba9 914->916 917 471bb9-471bbb 914->917 918 471bef-471bf1 915->918 919 471bde-471bed 915->919 920 471bb5-471bb7 916->920 921 471bab-471bae 916->921 917->915 922 471bf2-471c0c CreateFileA 918->922 919->922 924 471bb2-471bb3 920->924 921->911 923 471bb0 921->923 925 471c36-471c3c 922->925 926 471c0e-471c13 922->926 923->924 924->915 929 471c3e-471c42 925->929 927 471c15-471c2d GetLastError call 4768e4 call 471553 926->927 928 471c32-471c34 926->928 927->928 928->929
                                                                                APIs
                                                                                  • Part of subcall function 00471E54: __EH_prolog.LIBCMT ref: 00471E59
                                                                                  • Part of subcall function 00471E54: GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?), ref: 00471E77
                                                                                  • Part of subcall function 00471E54: lstrcpynA.KERNEL32(?,?,00000104), ref: 00471E86
                                                                                • CreateFileA.KERNELBASE(00000000,80000000,00000000,0000000C,00000003,00000080,00000000,?,?,?,?), ref: 00471C03
                                                                                • GetLastError.KERNEL32 ref: 00471C15
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateErrorFileFullH_prologLastNamePathlstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 1034715445-0
                                                                                • Opcode ID: 6fa5f04832118b8d0058f5745fb5a2e3a087eded9343143799d8be26ee14c8a7
                                                                                • Instruction ID: 04cdd2512b919a501d7875c97b78a3369284baafbbdf1a4f9a9cab85a5f3480d
                                                                                • Opcode Fuzzy Hash: 6fa5f04832118b8d0058f5745fb5a2e3a087eded9343143799d8be26ee14c8a7
                                                                                • Instruction Fuzzy Hash: 9D31FB31A002099BDB344E2DCC45FEB7365AB80354F24C96FE41ED66A0E67CED458744
                                                                                Function 00405740 Relevance: 3.1, APIs: 2, Instructions: 78COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 933 405740-40574a 934 40575c-405762 933->934 935 40574c-405759 call 405810 933->935 937 405764-405769 934->937 938 40576c-405778 934->938 940 4057c6-4057cd 938->940 941 40577a-405780 938->941 943 4057da-4057ef RtlAllocateHeap 940->943 944 4057cf-4057d5 GetProcessHeap 940->944 941->940 942 405782-405788 941->942 942->940 945 40578a-4057c3 call 4061b0 942->945 946 4057f1-4057fa 943->946 947 4057fd-405806 943->947 944->943
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c5b28427417ff03d2573b4c058145b6af1366d7066ebcf8175a5ddb3e3bc9359
                                                                                • Instruction ID: 22ac3336681de452aa47deba384a46f421215bb2ed3712aa9660124a3a49033f
                                                                                • Opcode Fuzzy Hash: c5b28427417ff03d2573b4c058145b6af1366d7066ebcf8175a5ddb3e3bc9359
                                                                                • Instruction Fuzzy Hash: BB2126B6600B00CFE720DF6AD884A47B7E8EBA0765F10C83FE155D7250E374A8149B54
                                                                                Function 00405940 Relevance: 3.0, APIs: 2, Instructions: 37memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(?,?,0040592C,?,?,00405C7B,?,00000020,00000000), ref: 00405989
                                                                                • RtlFreeHeap.NTDLL(00710000,00000000,?,?,?,0040592C,?,?,00405C7B,?,00000020,00000000), ref: 00405998
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$FreeProcess
                                                                                • String ID:
                                                                                • API String ID: 3859560861-0
                                                                                • Opcode ID: b7f2aea61bcc2a098485cac52cdf21d8a630c37473c526697e69fffb6ed3e23b
                                                                                • Instruction ID: 2786b8d6c7b7994e99f8ef1187de3e417ac0f914684e4603051d915074dbaa0a
                                                                                • Opcode Fuzzy Hash: b7f2aea61bcc2a098485cac52cdf21d8a630c37473c526697e69fffb6ed3e23b
                                                                                • Instruction Fuzzy Hash: 91F06276200601DFC7108B29D908B5FB76AEBE1725F15C47AE4449B294E271E805CFA4
                                                                                Function 0047B604 Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNELBASE(00000000,00000000,004773E1,00000000,00000000,00000000,00000000,?,00000000,?,0046EFFB,00000000,00000000,00000000,00000000,00460E35), ref: 0047B60D
                                                                                • SetErrorMode.KERNELBASE(00000000,?,00000000,?,0046EFFB,00000000,00000000,00000000,00000000,00460E35,00000000), ref: 0047B614
                                                                                  • Part of subcall function 0047B667: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0047B698
                                                                                  • Part of subcall function 0047B667: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0047B739
                                                                                  • Part of subcall function 0047B667: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0047B766
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
                                                                                • String ID:
                                                                                • API String ID: 3389432936-0
                                                                                • Opcode ID: 5b14771f580f11cfaa7e58d3d1439a043137e5be7d797193ad66c22d773f1a6c
                                                                                • Instruction ID: 2320fb4fd96b6d00a6cf76dd4050b610bf7e593baadde4c3a9f6d72b4a54eb2f
                                                                                • Opcode Fuzzy Hash: 5b14771f580f11cfaa7e58d3d1439a043137e5be7d797193ad66c22d773f1a6c
                                                                                • Instruction Fuzzy Hash: A4F014719142148FD714BF259544B9A7BA4AF84714F06C48FB4589B3A2CB78D841CBDA
                                                                                Function 00471C7F Relevance: 3.0, APIs: 2, Instructions: 31fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WriteFile.KERNELBASE(?,?,?,?,00000000,?,00000001,?,0040538F,-00000010,?,?,00001011,00000000), ref: 00471C9A
                                                                                • GetLastError.KERNEL32(?,?,0040538F,-00000010,?,?,00001011,00000000), ref: 00471CA7
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorFileLastWrite
                                                                                • String ID:
                                                                                • API String ID: 442123175-0
                                                                                • Opcode ID: 47dceefd5245bc25ced4496cbfdac00697379506926715628ac434943bcfb0b1
                                                                                • Instruction ID: c000a47c79c8a0b6e56d224ec5ab748d5e53ffaac236b6e6883e22b220ef0a59
                                                                                • Opcode Fuzzy Hash: 47dceefd5245bc25ced4496cbfdac00697379506926715628ac434943bcfb0b1
                                                                                • Instruction Fuzzy Hash: A3F08236140604BECB211F9ADC04EDBBBADEB40770F10C22FB92C862A0C6759D048B54
                                                                                Function 00465E36 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • HeapCreate.KERNELBASE(00000000,00001000,00000000,00460DB3,00000001), ref: 00465E47
                                                                                  • Part of subcall function 00465CEE: GetVersionExA.KERNEL32 ref: 00465D0D
                                                                                • HeapDestroy.KERNEL32 ref: 00465E86
                                                                                  • Part of subcall function 00469735: HeapAlloc.KERNEL32(00000000,00000140,00465E6F,000003F8), ref: 00469742
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AllocCreateDestroyVersion
                                                                                • String ID:
                                                                                • API String ID: 2507506473-0
                                                                                • Opcode ID: 65a65d2f0146af5c590d5e2659ee1c5cdf0d23c73ed019bc772435702c46db11
                                                                                • Instruction ID: a0a07d5f6ef47e9a31fb5ba0a86ad274b885f3dddbf848ce5fadc29b5feac161
                                                                                • Opcode Fuzzy Hash: 65a65d2f0146af5c590d5e2659ee1c5cdf0d23c73ed019bc772435702c46db11
                                                                                • Instruction Fuzzy Hash: 24F02B30610B019FDF511B70EC4277F36949BA8742F10443BF414C81A0FB7A8A80EA0B
                                                                                Function 00476136 Relevance: 3.0, APIs: 2, Instructions: 27threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00476149
                                                                                • SetWindowsHookExA.USER32(000000FF,0047648B,00000000,00000000), ref: 00476159
                                                                                  • Part of subcall function 0047AE3D: __EH_prolog.LIBCMT ref: 0047AE42
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CurrentH_prologHookThreadWindows
                                                                                • String ID:
                                                                                • API String ID: 2183259885-0
                                                                                • Opcode ID: 6ed524ea6b626c4bf913e27a216419fa15f6b26b4eef44a1b3932e5cb487c9f5
                                                                                • Instruction ID: 04d794927e159a9c77c18dc1f4b87309b5d25260c7b9e6771a5c100da6152ee7
                                                                                • Opcode Fuzzy Hash: 6ed524ea6b626c4bf913e27a216419fa15f6b26b4eef44a1b3932e5cb487c9f5
                                                                                • Instruction Fuzzy Hash: F9F0A7318416106ED7313BB0A90DBDD3691AF80329F468A6EF01E561D2CA7C9C95879F
                                                                                Function 00473680 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DefWindowProcA.USER32(?,?,?,?), ref: 004736A7
                                                                                • CallWindowProcA.USER32(?,?,?,?,?), ref: 004736BC
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ProcWindow$Call
                                                                                • String ID:
                                                                                • API String ID: 2316559721-0
                                                                                • Opcode ID: 04255d8f0689b27ad34f9315ce48b136e3f363a0b11fafc09143a0432f032855
                                                                                • Instruction ID: 7c0467fbb08ad2cf0e332a6adcaeea09075dcd2878342973343fab0fca15c555
                                                                                • Opcode Fuzzy Hash: 04255d8f0689b27ad34f9315ce48b136e3f363a0b11fafc09143a0432f032855
                                                                                • Instruction Fuzzy Hash: C9F0AC36100209FFDF619F95DC04DDA7BBAFF08351B04842AF94986630D732D924AF58
                                                                                Function 004732B6 Relevance: 3.0, APIs: 2, Instructions: 25threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0047ADA8: TlsGetValue.KERNEL32(00000000,?,00000000,0047A82F,0047A12E,0047A84B,00476126,004773C2,?,00000000,?,0046EFFB,00000000,00000000,00000000,00000000), ref: 0047ADE7
                                                                                • GetCurrentThreadId.KERNEL32 ref: 004732D8
                                                                                • SetWindowsHookExA.USER32(00000005,004730C0,00000000,00000000), ref: 004732E8
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CurrentHookThreadValueWindows
                                                                                • String ID:
                                                                                • API String ID: 933525246-0
                                                                                • Opcode ID: 48e2ee42c925738d53d30427ce92e4bdf6030603648785bb5e67bd1e7ea298a1
                                                                                • Instruction ID: 8e9cffbd0a64c4f9a0841eb6c3453586b692654789145f2ad359f041e18820ed
                                                                                • Opcode Fuzzy Hash: 48e2ee42c925738d53d30427ce92e4bdf6030603648785bb5e67bd1e7ea298a1
                                                                                • Instruction Fuzzy Hash: 07E065312407009FD3705F11A805B9B77E4EBC5B12F10852FF14E91581D2789949CF6F
                                                                                Function 00471C45 Relevance: 3.0, APIs: 2, Instructions: 22fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,?,00405BDC,00000000,?,?,?,00000020,00000000), ref: 00471C61
                                                                                • GetLastError.KERNEL32(00000000,?,00405BDC,00000000,?,?,?,00000020,00000000), ref: 00471C6C
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorFileLastRead
                                                                                • String ID:
                                                                                • API String ID: 1948546556-0
                                                                                • Opcode ID: db8aba3207218030cfe10faf18aac98454dcc6773de3e7153485178c60010af0
                                                                                • Instruction ID: cde6cd80389db1ff695e46d94cb178a5bd06d8fae6ee96b5f78b3fabf4a5c83d
                                                                                • Opcode Fuzzy Hash: db8aba3207218030cfe10faf18aac98454dcc6773de3e7153485178c60010af0
                                                                                • Instruction Fuzzy Hash: FEE01A35140108BECB419FA4CC09BAA37ACAB14364F50C429FA0D89121D379DA149B58
                                                                                Function 00471CCA Relevance: 3.0, APIs: 2, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetFilePointer.KERNELBASE(?,?,00000000,?), ref: 00471CD8
                                                                                • GetLastError.KERNEL32(00000000), ref: 00471CE7
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorFileLastPointer
                                                                                • String ID:
                                                                                • API String ID: 2976181284-0
                                                                                • Opcode ID: f7a5aac452f92fd95c2d74539cc431d932561d1bc4f051168de2df114fd2c7cb
                                                                                • Instruction ID: a04f4869bda53a3118dedb80bb732d0e95e74d589545e1f2bd94533fe4d0ef89
                                                                                • Opcode Fuzzy Hash: f7a5aac452f92fd95c2d74539cc431d932561d1bc4f051168de2df114fd2c7cb
                                                                                • Instruction Fuzzy Hash: F1D02E325002207BC6402BB4AC0CB8EBA58BB08370F008E2DFA68921E0C2318C008B88
                                                                                Function 00471D43 Relevance: 2.5, APIs: 2, Instructions: 26COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CloseHandle.KERNELBASE(00000001,?,?,00471A9A,?,?,004053AF,?,00001011,00000000), ref: 00471D52
                                                                                • GetLastError.KERNEL32(00000000,00471A9A,?,?,004053AF,?,00001011,00000000), ref: 00471D77
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseErrorHandleLast
                                                                                • String ID:
                                                                                • API String ID: 918212764-0
                                                                                • Opcode ID: 49e209c4838e752c1f3ffcc021e22d6e438bd5d28509f11fa13fcf0b190be5c7
                                                                                • Instruction ID: bbea7f99e76b3f8be1789acf1449d3c4bfd1672b9e7af03307286c4fd815d9f6
                                                                                • Opcode Fuzzy Hash: 49e209c4838e752c1f3ffcc021e22d6e438bd5d28509f11fa13fcf0b190be5c7
                                                                                • Instruction Fuzzy Hash: B0E092325006004BC324673ADC09A9A7399AFC0735F15CB1EE57EC71F08F74A8094614
                                                                                Function 00462645 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0046272C
                                                                                  • Part of subcall function 004684F4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00463528,00000009,00000000,00000000,00000001,00465C7F,00000001,00000074,?,?,00000000,00000001), ref: 00468531
                                                                                  • Part of subcall function 004684F4: EnterCriticalSection.KERNEL32(?,?,?,00463528,00000009,00000000,00000000,00000001,00465C7F,00000001,00000074,?,?,00000000,00000001), ref: 0046854C
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$AllocateEnterHeapInitialize
                                                                                • String ID:
                                                                                • API String ID: 1616793339-0
                                                                                • Opcode ID: 29931c076774e1051b49fffcf52d0de2c459819f239985ebd23dc097d5d039ef
                                                                                • Instruction ID: 23e391cb68311790ba82c6ec2bfbf30b62cd7d727e348196dacd33d14ba1cee1
                                                                                • Opcode Fuzzy Hash: 29931c076774e1051b49fffcf52d0de2c459819f239985ebd23dc097d5d039ef
                                                                                • Instruction Fuzzy Hash: 5321D671A00A04BBDB10EB65DD42B9E77A4EB00725F14411BF410EB2D1F7B8A9419A5E
                                                                                Function 0046251E Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,00463528,00000009,00000000,00000000,00000001,00465C7F,00000001,00000074), ref: 004625F2
                                                                                  • Part of subcall function 004684F4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00463528,00000009,00000000,00000000,00000001,00465C7F,00000001,00000074,?,?,00000000,00000001), ref: 00468531
                                                                                  • Part of subcall function 004684F4: EnterCriticalSection.KERNEL32(?,?,?,00463528,00000009,00000000,00000000,00000001,00465C7F,00000001,00000074,?,?,00000000,00000001), ref: 0046854C
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterFreeHeapInitialize
                                                                                • String ID:
                                                                                • API String ID: 641406236-0
                                                                                • Opcode ID: d7687083481b949a20775ded8b06956d8403e74c28273142179fd976021ff8ee
                                                                                • Instruction ID: 6ac38fba090b8e0cd552bd39414728c59123c440f9a6d7b6dee87d9099c5520c
                                                                                • Opcode Fuzzy Hash: d7687083481b949a20775ded8b06956d8403e74c28273142179fd976021ff8ee
                                                                                • Instruction Fuzzy Hash: 3821D672801A09BBCB219B959D16BDE7B78EB04765F14411FF411B12C1FBBC9A40CA6F
                                                                                Function 00472C1D Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 00472C22
                                                                                  • Part of subcall function 0047ADA8: TlsGetValue.KERNEL32(00000000,?,00000000,0047A82F,0047A12E,0047A84B,00476126,004773C2,?,00000000,?,0046EFFB,00000000,00000000,00000000,00000000), ref: 0047ADE7
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologValue
                                                                                • String ID:
                                                                                • API String ID: 3700342317-0
                                                                                • Opcode ID: 1609befb9682f1c82eb61212d8494f4b71046ac20ab3e4e2159076e01b54864a
                                                                                • Instruction ID: acf6e54c6f860bb7f285176997f3012398af55e9b9376b82e9629a1b00d9251d
                                                                                • Opcode Fuzzy Hash: 1609befb9682f1c82eb61212d8494f4b71046ac20ab3e4e2159076e01b54864a
                                                                                • Instruction Fuzzy Hash: F3218D72900209EFDF11CF54C581AEE7BB9FF48314F00806AF809AB240C3B4AE44CB95
                                                                                Function 00473344 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateWindowExA.USER32(00000000,00000080,00436A31,?,?,?,?,?,?,?,?,?), ref: 004733E2
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateWindow
                                                                                • String ID:
                                                                                • API String ID: 716092398-0
                                                                                • Opcode ID: dbb498c7f2cda6e05cb8b18bcbaef13a66bcf5f98d8d4e22bcced86f57a59be5
                                                                                • Instruction ID: d5f74644314c22127cae4e594a18229e83d1b6e9cd0116ab85e2aa41e9bda49e
                                                                                • Opcode Fuzzy Hash: dbb498c7f2cda6e05cb8b18bcbaef13a66bcf5f98d8d4e22bcced86f57a59be5
                                                                                • Instruction Fuzzy Hash: CB31BD75A00219AFCF41DFA8C8449DEBBF1BF4C304B01846AF918E7310E7359A519FA4
                                                                                Function 00473633 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DestroyWindow.USER32(00000000,00000000,00000000,?,?,?,004734BC,005057D0,?,0040F18C), ref: 00473660
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DestroyWindow
                                                                                • String ID:
                                                                                • API String ID: 3375834691-0
                                                                                • Opcode ID: 9eca134ab74619115f9ca23434351dda13293752390c36d59f71f4c06805ec52
                                                                                • Instruction ID: be17318105b56644934a59114b318ebccbd214ca98b6745033fb055823d4eae7
                                                                                • Opcode Fuzzy Hash: 9eca134ab74619115f9ca23434351dda13293752390c36d59f71f4c06805ec52
                                                                                • Instruction Fuzzy Hash: 38F0E231200600EFCB746E29E814A9A73A4EF8071AB00C02EF00687320DB68ED069B44
                                                                                Function 00472E94 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b3106807c18d85ff37cd54ce47c6d9b205ce7d64f6c9daab54c8cd37cb984e2a
                                                                                • Instruction ID: c26a12b5e2435f20ac75bb848588befddb52d10d35f68917465814fffd23c4df
                                                                                • Opcode Fuzzy Hash: b3106807c18d85ff37cd54ce47c6d9b205ce7d64f6c9daab54c8cd37cb984e2a
                                                                                • Instruction Fuzzy Hash: 69F01C32000519FBCF225E919E01EEF3B29BF14361F00C816FA1955250C7BAD6A1EFA9
                                                                                Function 004154B0 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00710000,00000000,?,?,005057D0,00413B8A,0000001C), ref: 004154C1
                                                                                  • Part of subcall function 00412140: wsprintfA.USER32 ref: 00412152
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeapwsprintf
                                                                                • String ID:
                                                                                • API String ID: 1352872168-0
                                                                                • Opcode ID: cc5f1e285d0f94177d62f8280bba7342526e083d8ec1dc1d24f10bc4fa1d1e77
                                                                                • Instruction ID: bc1ff48080c5b3ab07b00576f7c42162bc1a55f12a5e65cb5b192bd639d7b226
                                                                                • Opcode Fuzzy Hash: cc5f1e285d0f94177d62f8280bba7342526e083d8ec1dc1d24f10bc4fa1d1e77
                                                                                • Instruction Fuzzy Hash: 30E08CB590020CFFCB00DF90E845BAE77B8EB48300F108198FD098B340E675AE80DB98
                                                                                Function 004155B0 Relevance: 1.5, APIs: 1, Instructions: 18memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlFreeHeap.NTDLL(00710000,00000000,00000000,00000000,?,0040FE13,?), ref: 004155D8
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeHeap
                                                                                • String ID:
                                                                                • API String ID: 3298025750-0
                                                                                • Opcode ID: 19fcb79f2ab09abbea95f4cb6ce32339569eb282d51ca7caf42afc6b4b6b4bb8
                                                                                • Instruction ID: f380979d4a87415a4f1c58838160ae3526f7132bda81363000a9092ec25b248f
                                                                                • Opcode Fuzzy Hash: 19fcb79f2ab09abbea95f4cb6ce32339569eb282d51ca7caf42afc6b4b6b4bb8
                                                                                • Instruction Fuzzy Hash: 13D01276200A08EFD7149B54D849BEF3BAAE784744F108019F60D4A694EA74EC80DBA4
                                                                                Function 00476C9D Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadStringA.USER32(?,?,?,?), ref: 00476CB4
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LoadString
                                                                                • String ID:
                                                                                • API String ID: 2948472770-0
                                                                                • Opcode ID: 349b10221325f4b53d0d7f13d6fe59a97de8253698001c2c41ec700c4d2c1ecc
                                                                                • Instruction ID: 375bc89285cfe0dbd38e3b98a1bf77c15d19e7fb26e740974e8835e54aa146f6
                                                                                • Opcode Fuzzy Hash: 349b10221325f4b53d0d7f13d6fe59a97de8253698001c2c41ec700c4d2c1ecc
                                                                                • Instruction Fuzzy Hash: F1D0A7721083619FC741DF608C08D8FBBA4FF54320B094C0EF4D443211C324D858C766
                                                                                Function 004224F0 Relevance: 1.3, APIs: 1, Instructions: 57COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CloseHandle.KERNELBASE(0000020C,004D7CA4,005057D0,00505A74,00000000,0047D541,000000FF,0040F234), ref: 0042254A
                                                                                  • Part of subcall function 00422A60: midiStreamStop.WINMM(?,00000000,?,00000000,004225CA,00000000,005057D0,00414F56,005057D0,?,00414DFF,005057D0,00412DB6,00000001,00000000,000000FF), ref: 00422A95
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandleStopStreammidi
                                                                                • String ID:
                                                                                • API String ID: 402806035-0
                                                                                • Opcode ID: 73e406615b7b58c998f33fca7d0f38d41c44ace4e56ce16f7be36d38821a69fb
                                                                                • Instruction ID: 8a4300be814cffa1380164524798919076d7dd6074e53dc1cbb7601be2b15eab
                                                                                • Opcode Fuzzy Hash: 73e406615b7b58c998f33fca7d0f38d41c44ace4e56ce16f7be36d38821a69fb
                                                                                • Instruction Fuzzy Hash: 6321E0B1A00B10ABC721DF2AC945B57FBE8FF98710F54891FE19AC7720D7B8A4448B95

                                                                                Non-executed Functions

                                                                                Function 004107B0 Relevance: 55.2, APIs: 29, Strings: 2, Instructions: 979windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindow.USER32(?), ref: 00410822
                                                                                • IsIconic.USER32(?), ref: 0041085A
                                                                                • SetActiveWindow.USER32(?), ref: 00410883
                                                                                • IsWindow.USER32(?), ref: 004108AD
                                                                                • IsWindow.USER32(?), ref: 00410B7E
                                                                                • DestroyAcceleratorTable.USER32(?), ref: 00410CCE
                                                                                • DestroyMenu.USER32(?), ref: 00410CD9
                                                                                • DestroyAcceleratorTable.USER32(?), ref: 00410CF3
                                                                                • DestroyMenu.USER32(?), ref: 00410D02
                                                                                • DestroyAcceleratorTable.USER32(?), ref: 00410D62
                                                                                • DestroyMenu.USER32(?,000003EA,00000000,00000000,?,?,00000000,?,?,?,000007D9,00000000,00000000), ref: 00410D71
                                                                                • SetParent.USER32(?,?), ref: 00410DF3
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00410F0B
                                                                                • IsWindow.USER32(?), ref: 0041103C
                                                                                • SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 00411051
                                                                                • SendMessageA.USER32(?,00008004,00000000,00000000), ref: 0041106E
                                                                                • DestroyAcceleratorTable.USER32(?), ref: 004110BC
                                                                                • IsWindow.USER32(?), ref: 00411131
                                                                                • IsWindow.USER32(?), ref: 00411181
                                                                                • IsWindow.USER32(?), ref: 004111D1
                                                                                • IsWindow.USER32(?), ref: 0041120E
                                                                                • IsWindow.USER32(?), ref: 00411291
                                                                                • GetParent.USER32(?), ref: 0041129F
                                                                                • GetFocus.USER32 ref: 004112E0
                                                                                  • Part of subcall function 004106A0: IsWindow.USER32(?), ref: 0041071B
                                                                                  • Part of subcall function 004106A0: GetFocus.USER32 ref: 00410725
                                                                                  • Part of subcall function 004106A0: IsChild.USER32(?,00000000), ref: 00410737
                                                                                • IsWindow.USER32(?), ref: 0041133F
                                                                                • SendMessageA.USER32(?,00008076,00000000,00000000), ref: 00411354
                                                                                • IsWindow.USER32(00000000), ref: 00411367
                                                                                • GetFocus.USER32 ref: 00411371
                                                                                • SetFocus.USER32(00000000), ref: 0041137C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$Destroy$AcceleratorFocusTable$MenuMessageSend$Parent$ActiveChildIconic
                                                                                • String ID: `\A$d
                                                                                • API String ID: 3681805233-346329946
                                                                                • Opcode ID: 3f9d721796771d9d0a5f5788a6daa458acafc3d838b9f36e7d11632188ce6160
                                                                                • Instruction ID: 656883530a809c1052ca07e2a604158577a8150e27dc577a50c57d9adcaecc6e
                                                                                • Opcode Fuzzy Hash: 3f9d721796771d9d0a5f5788a6daa458acafc3d838b9f36e7d11632188ce6160
                                                                                • Instruction Fuzzy Hash: F27271716043059BD320DF65C881FAFB7E9AF84704F14492EF94997381DB78E885CBAA
                                                                                Function 00418030 Relevance: 51.7, APIs: 23, Strings: 6, Instructions: 986windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindowEnabled.USER32(?), ref: 00418069
                                                                                • TranslateAcceleratorA.USER32(?,?,?,?), ref: 004180C3
                                                                                • IsChild.USER32(?,?), ref: 004180F4
                                                                                • GetFocus.USER32 ref: 0041824F
                                                                                • PostMessageA.USER32(?,000000A1,00000002,00000000), ref: 004182D9
                                                                                • PostMessageA.USER32(?,000000A1,00000002,00000000), ref: 00418348
                                                                                • IsChild.USER32(?,00000000), ref: 004183F1
                                                                                • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 004183C2
                                                                                  • Part of subcall function 0040E6D0: IsChild.USER32(?,?), ref: 0040E74D
                                                                                  • Part of subcall function 0040E6D0: GetParent.USER32(?), ref: 0040E767
                                                                                • IsWindow.USER32(?), ref: 00418CC9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ChildMessage$PostWindow$AcceleratorEnabledFocusParentSendTranslate
                                                                                • String ID: 0$9$A$Z$\VO$hlp
                                                                                • API String ID: 3372979518-2341453987
                                                                                • Opcode ID: cf644107aa7e61a539d9613fe9f2bfaaa112d89a671fb253dc494d7e60dbf5ba
                                                                                • Instruction ID: 819082ef1b272f0051aef52bf47e16b5137a522189c5edd2943b4a8575f28bfd
                                                                                • Opcode Fuzzy Hash: cf644107aa7e61a539d9613fe9f2bfaaa112d89a671fb253dc494d7e60dbf5ba
                                                                                • Instruction Fuzzy Hash: 35729F706043469BDB24DF25C881BEBB3A5AF94704F10492FF94597381EF78DC858BAA
                                                                                Function 00419220 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 93libraryloaderwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsIconic.USER32(?), ref: 0041922C
                                                                                • IsZoomed.USER32(?), ref: 0041923A
                                                                                • LoadLibraryA.KERNEL32(User32.dll,00000003,00000009), ref: 00419264
                                                                                • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00419277
                                                                                • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00419285
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 004192BB
                                                                                • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004192D1
                                                                                • IsWindow.USER32(?), ref: 004192FE
                                                                                • ShowWindow.USER32(?,00000005,?,?,?,?,00000004), ref: 0041930B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressLibraryProcWindow$FreeIconicInfoLoadParametersShowSystemZoomed
                                                                                • String ID: GetMonitorInfoA$H$MonitorFromWindow$User32.dll
                                                                                • API String ID: 447426925-661446951
                                                                                • Opcode ID: 10b1d5f23937af8889a11d4c56849cccd6d6c48e1813f748d429240911c07fc1
                                                                                • Instruction ID: ccd86734c1a7b36a176dddf9090c87c6b3c5cf4ea1fa71912d9001001beb8ff4
                                                                                • Opcode Fuzzy Hash: 10b1d5f23937af8889a11d4c56849cccd6d6c48e1813f748d429240911c07fc1
                                                                                • Instruction Fuzzy Hash: 26317C71740301AFD7509F65CC59F6F77A8AF84B01F00892DFA05A7280DBB8EC498B69
                                                                                Function 004724DC Relevance: 13.6, APIs: 9, Instructions: 113COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 004724E1
                                                                                • FindResourceA.KERNEL32(?,00000000,00000005), ref: 00472519
                                                                                • LoadResource.KERNEL32(?,00000000,?,?,?,00000000), ref: 00472521
                                                                                  • Part of subcall function 00473302: UnhookWindowsHookEx.USER32(?), ref: 00473327
                                                                                • LockResource.KERNEL32(?,?,00000000,?,?,?,00000000), ref: 0047252E
                                                                                • IsWindowEnabled.USER32(?), ref: 00472561
                                                                                • EnableWindow.USER32(?,00000000), ref: 0047256F
                                                                                • EnableWindow.USER32(?,00000001), ref: 004725FD
                                                                                • GetActiveWindow.USER32 ref: 00472608
                                                                                • SetActiveWindow.USER32(?,?,?,00000000,?,?,?,00000000), ref: 00472616
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$Resource$ActiveEnable$EnabledFindH_prologHookLoadLockUnhookWindows
                                                                                • String ID:
                                                                                • API String ID: 401145483-0
                                                                                • Opcode ID: d5df313de6341444ada72bf56ef0985310c795a9377ae0fa353b0e96e108062c
                                                                                • Instruction ID: c9af801f63e3d989ec84e20cad10c17d049c810dd30404c2b860ceca7c001f2e
                                                                                • Opcode Fuzzy Hash: d5df313de6341444ada72bf56ef0985310c795a9377ae0fa353b0e96e108062c
                                                                                • Instruction Fuzzy Hash: C741BF70900604EFCB21AF64CE49AEFBBB5BF44715F10861FF506A2291CBB94E41CB59
                                                                                Function 0042D340 Relevance: 12.1, APIs: 8, Instructions: 88clipboardmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GlobalAlloc.KERNEL32(00000042,?), ref: 0042D3B7
                                                                                • GlobalLock.KERNEL32(00000000), ref: 0042D3D3
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0042D3F5
                                                                                • OpenClipboard.USER32(00000000), ref: 0042D3FD
                                                                                • GlobalFree.KERNEL32(00000000), ref: 0042D409
                                                                                • EmptyClipboard.USER32 ref: 0042D411
                                                                                • SetClipboardData.USER32(?,00000000), ref: 0042D423
                                                                                • CloseClipboard.USER32 ref: 0042D429
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
                                                                                • String ID:
                                                                                • API String ID: 453615576-0
                                                                                • Opcode ID: 2d71a64ab5d2e3c04057ac3b91058153c8ce73bec7e523cb26e67aeca362ec28
                                                                                • Instruction ID: a3bd699323cbd7b0c9b74682f334725013566dc8c7ad3d9250605c19bb40b547
                                                                                • Opcode Fuzzy Hash: 2d71a64ab5d2e3c04057ac3b91058153c8ce73bec7e523cb26e67aeca362ec28
                                                                                • Instruction Fuzzy Hash: 2131B471304311AFC354EF65EC59B2F77A8EB88724F844A2EF95683291DB78D808CB65
                                                                                Function 00409630 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114filewindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0047118B: InterlockedIncrement.KERNEL32(-000000F4), ref: 004711A0
                                                                                • FindFirstFileA.KERNEL32(?,?,*.*), ref: 004096CA
                                                                                  • Part of subcall function 0046F09D: __EH_prolog.LIBCMT ref: 0046F0A2
                                                                                  • Part of subcall function 00471416: InterlockedDecrement.KERNEL32(-000000F4), ref: 0047142A
                                                                                • SendMessageA.USER32 ref: 00409770
                                                                                • FindNextFileA.KERNEL32(?,00000010), ref: 0040977C
                                                                                • FindClose.KERNEL32(?), ref: 0040978F
                                                                                • SendMessageA.USER32(?,00001102,00000002,?), ref: 004097A1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$FileInterlockedMessageSend$CloseDecrementFirstH_prologIncrementNext
                                                                                • String ID: *.*
                                                                                • API String ID: 2486832813-438819550
                                                                                • Opcode ID: 5ea15a55dd57a1d99f5bae3c71447f95ff7bbabfce1429e307446fb011ce6320
                                                                                • Instruction ID: 28c4050b80a552ab67fed60250f9b34c5aac997868025109a84abfcf9187bc32
                                                                                • Opcode Fuzzy Hash: 5ea15a55dd57a1d99f5bae3c71447f95ff7bbabfce1429e307446fb011ce6320
                                                                                • Instruction Fuzzy Hash: DE41A171508341ABC720DF65C885F9BB3E8AF84704F108D2EF6A5832D1EB79D808CB56
                                                                                Function 0042D4A0 Relevance: 10.6, APIs: 7, Instructions: 89clipboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenClipboard.USER32(00000000), ref: 0042D4CD
                                                                                • GetClipboardData.USER32(?), ref: 0042D4E6
                                                                                • CloseClipboard.USER32 ref: 0042D4F2
                                                                                • GlobalSize.KERNEL32(00000000), ref: 0042D528
                                                                                • GlobalLock.KERNEL32(00000000), ref: 0042D530
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0042D548
                                                                                • CloseClipboard.USER32 ref: 0042D54E
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Clipboard$Global$Close$DataLockOpenSizeUnlock
                                                                                • String ID:
                                                                                • API String ID: 2237123812-0
                                                                                • Opcode ID: 3894c1f87a7673fcb8de9b5e449a0971ef47b35abdc98688db25e873320816c0
                                                                                • Instruction ID: 40e3c6a20f0c50c64a57dcf9de3fa568f310f0b050d37c55a1df2675b60f19b8
                                                                                • Opcode Fuzzy Hash: 3894c1f87a7673fcb8de9b5e449a0971ef47b35abdc98688db25e873320816c0
                                                                                • Instruction Fuzzy Hash: 9021A271700211ABD604EB64E848E7F77A9EF88359F440A3EF905C3240EB68E844CBA5
                                                                                Function 0045ED20 Relevance: 10.6, APIs: 7, Instructions: 87threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindWindowA.USER32(00000000,?), ref: 0045ED8D
                                                                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 0045ED9D
                                                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0045EE1B
                                                                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 0045EE24
                                                                                  • Part of subcall function 00471416: InterlockedDecrement.KERNEL32(-000000F4), ref: 0047142A
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$Window$DecrementFindInterlockedOpenTerminateThread
                                                                                • String ID:
                                                                                • API String ID: 2770076521-0
                                                                                • Opcode ID: b1d7bdde570c5135b6aad571a470c1712ceb129d7d0b370a0e7798c8997489b3
                                                                                • Instruction ID: f49d09bf38843ed6246ea1e21e793bb2f2bce097083d858625da7e8073b3aaa8
                                                                                • Opcode Fuzzy Hash: b1d7bdde570c5135b6aad571a470c1712ceb129d7d0b370a0e7798c8997489b3
                                                                                • Instruction Fuzzy Hash: 0931C431108342ABD364DB26CD45BAB73E4AB84751F04891EFC69832D1E778D908CB66
                                                                                Function 0045FB20 Relevance: 10.6, APIs: 7, Instructions: 51clipboardmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenClipboard.USER32(00000000), ref: 0045FB23
                                                                                • EmptyClipboard.USER32 ref: 0045FB2D
                                                                                • GlobalAlloc.KERNEL32(00002002,?,?,?,00000000,?,?,?,?,?,00000003), ref: 0045FB4B
                                                                                • GlobalLock.KERNEL32(00000000), ref: 0045FB54
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0045FB7E
                                                                                • SetClipboardData.USER32(00000008,00000000), ref: 0045FB87
                                                                                • CloseClipboard.USER32 ref: 0045FB8D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Clipboard$Global$AllocCloseDataEmptyLockOpenUnlock
                                                                                • String ID:
                                                                                • API String ID: 1677084743-0
                                                                                • Opcode ID: 36619d86ec7c82d70297eac3395f100500b159639cfb1b587099d91f3781412f
                                                                                • Instruction ID: bf98da97ee86203ed11fcb3c5b4258c81f836b723dc71a92d02f4b3df2033443
                                                                                • Opcode Fuzzy Hash: 36619d86ec7c82d70297eac3395f100500b159639cfb1b587099d91f3781412f
                                                                                • Instruction Fuzzy Hash: F1015271210205ABD7A09B79EC48A6B7BA8EB44361F054839BD06C3691DA60EC48CB64
                                                                                Function 00412510 Relevance: 6.1, APIs: 4, Instructions: 94fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindNextFileA.KERNEL32(?,?), ref: 00412562
                                                                                • FindClose.KERNEL32 ref: 00412571
                                                                                • FindFirstFileA.KERNEL32(?,?), ref: 0041257D
                                                                                • FindClose.KERNEL32(00000000), ref: 004125DB
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$CloseFile$FirstNext
                                                                                • String ID:
                                                                                • API String ID: 1164774033-0
                                                                                • Opcode ID: fead08fa7fcad5e510c5e9c07e2c2a528163319dd370dc3fdd8feaadafd0c43f
                                                                                • Instruction ID: a328d943cb3dc5d6d1cd15c412af6cf9dadb71c57160ef6a78d3c1b32ede5832
                                                                                • Opcode Fuzzy Hash: fead08fa7fcad5e510c5e9c07e2c2a528163319dd370dc3fdd8feaadafd0c43f
                                                                                • Instruction Fuzzy Hash: 12213B32504710BBD7219B24DEA47FBB396AB94324F15062AEC25C7380E7BDDCA5434A
                                                                                Function 004749ED Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00475650: GetWindowLongA.USER32(?,000000F0), ref: 0047565C
                                                                                • GetKeyState.USER32(00000010), ref: 00474A11
                                                                                • GetKeyState.USER32(00000011), ref: 00474A1A
                                                                                • GetKeyState.USER32(00000012), ref: 00474A23
                                                                                • SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 00474A39
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: State$LongMessageSendWindow
                                                                                • String ID:
                                                                                • API String ID: 1063413437-0
                                                                                • Opcode ID: 1b0535f0a9c8415aa92e85365fe35f948d1acc37d3d62c36d02c473a2ccdd33c
                                                                                • Instruction ID: b3156a5983b14c630b06f5b8f6760337faa6ecdcc41c60f56d53e5cb81c28338
                                                                                • Opcode Fuzzy Hash: 1b0535f0a9c8415aa92e85365fe35f948d1acc37d3d62c36d02c473a2ccdd33c
                                                                                • Instruction Fuzzy Hash: 88F082366C07462AE920769D5C42FFE46144B80B98F00842ABB05AF5D18BF9880256FD
                                                                                Function 004242A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ioctlsocket.WS2_32(?,4004667F,?), ref: 004242D2
                                                                                • recvfrom.WS2_32(00000000,00000000,?,00000000,00000000,00000000), ref: 00424320
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ioctlsocketrecvfrom
                                                                                • String ID: `\A
                                                                                • API String ID: 217199969-2688774508
                                                                                • Opcode ID: 5a759f330a9e4485f618e1fa8743e241d537eae143ea15af6ce666c212b3cc8b
                                                                                • Instruction ID: 82a3ff7578813c2f3d9c99e5fbe201fa336e34f530358fa8595c650f7c1c0f6b
                                                                                • Opcode Fuzzy Hash: 5a759f330a9e4485f618e1fa8743e241d537eae143ea15af6ce666c212b3cc8b
                                                                                • Instruction Fuzzy Hash: D4218171204601AFC314EF28D845B6BB7E4EFD4714F508B2EF59A972D0DB389844CB59
                                                                                Function 0042BBA0 Relevance: 4.8, APIs: 3, Instructions: 308keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyState.USER32(00000010), ref: 0042BBC0
                                                                                • GetKeyState.USER32(00000011), ref: 0042BBD0
                                                                                • CopyRect.USER32(00000000,00000000), ref: 0042BCA5
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: State$CopyRect
                                                                                • String ID:
                                                                                • API String ID: 4142901696-0
                                                                                • Opcode ID: ad55cd782f98de18f8da96bbe10f8ef5a458e32b7130b33de27dd74eaa1843fb
                                                                                • Instruction ID: ed02e38eeb3e6698ade74f05057c6ec1f1e1f249258d0e9a1d1efec63f128426
                                                                                • Opcode Fuzzy Hash: ad55cd782f98de18f8da96bbe10f8ef5a458e32b7130b33de27dd74eaa1843fb
                                                                                • Instruction Fuzzy Hash: E2A1E2703043209BD628DA15E881FBBB3E5EBC4704F91491FF68297380DBA9ED4587DA
                                                                                Function 0046CC1C Relevance: 4.7, APIs: 3, Instructions: 207timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004684F4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00463528,00000009,00000000,00000000,00000001,00465C7F,00000001,00000074,?,?,00000000,00000001), ref: 00468531
                                                                                  • Part of subcall function 004684F4: EnterCriticalSection.KERNEL32(?,?,?,00463528,00000009,00000000,00000000,00000001,00465C7F,00000001,00000074,?,?,00000000,00000001), ref: 0046854C
                                                                                  • Part of subcall function 00468555: LeaveCriticalSection.KERNEL32(?,00462712,00000009,004626FE,00000000,?,00000000,00000000,00000000), ref: 00468562
                                                                                • GetTimeZoneInformation.KERNEL32(0000000C,?,?,?,0000000B,0000000B,?,0046CC0D,0046C8DE,?,?,?,?,004637FE,?,?), ref: 0046CC6A
                                                                                • WideCharToMultiByte.KERNEL32(00000220,0051AAC4,000000FF,0000003F,00000000,?,?,0046CC0D,0046C8DE,?,?,?,?,004637FE,?,?), ref: 0046CD00
                                                                                • WideCharToMultiByte.KERNEL32(00000220,0051AB18,000000FF,0000003F,00000000,?,?,0046CC0D,0046C8DE,?,?,?,?,004637FE,?,?), ref: 0046CD39
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$ByteCharMultiWide$EnterInformationInitializeLeaveTimeZone
                                                                                • String ID:
                                                                                • API String ID: 3442286286-0
                                                                                • Opcode ID: af890ae95df1edb42a2abb2014629cdc0472b3d0f91bc77f5721656311349f2b
                                                                                • Instruction ID: c1aa2ec93cea7cc46418a8479d1fc68bc02f20b5f76c3543ef3e1db22ce66598
                                                                                • Opcode Fuzzy Hash: af890ae95df1edb42a2abb2014629cdc0472b3d0f91bc77f5721656311349f2b
                                                                                • Instruction Fuzzy Hash: E6612071608241AAD7229F28ECC1B7A3FA9AB05314F24443FE0D5832E1E7794C52DB9F
                                                                                Function 0045E790 Relevance: 4.6, APIs: 3, Instructions: 102comstringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SHGetFileInfoA.SHELL32(?,00000000,?,00000160,00000800), ref: 0045E7BE
                                                                                • CoCreateInstance.OLE32(004DC438,00000000,00000001,004DC470,?,?,00000000,?,00000160,00000800), ref: 0045E7EE
                                                                                • lstrlenA.KERNEL32(00000000), ref: 0045E82E
                                                                                  • Part of subcall function 0045EA60: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000001,0045E84E,?,00000000,00000001), ref: 0045EA7B
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharCreateFileInfoInstanceMultiWidelstrlen
                                                                                • String ID:
                                                                                • API String ID: 2402691419-0
                                                                                • Opcode ID: 6e0f59bcccfe3c1d85bd4932181a0363ec131db948f6d26c2c9fcdf5607f69bf
                                                                                • Instruction ID: 5620cbf48cb17b40dd8cae7d2b224757cffdd96f215d6c6e82d6708c6755a5e4
                                                                                • Opcode Fuzzy Hash: 6e0f59bcccfe3c1d85bd4932181a0363ec131db948f6d26c2c9fcdf5607f69bf
                                                                                • Instruction Fuzzy Hash: 0431B071600205ABDB24DF61CC89FAA77ACEF84705F004499FD04DB281D775EA88CBA4
                                                                                Function 00463730 Relevance: 4.6, APIs: 3, Instructions: 75timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?), ref: 0046373D
                                                                                • GetSystemTime.KERNEL32(?), ref: 00463747
                                                                                • GetTimeZoneInformation.KERNEL32(?), ref: 0046379C
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Time$InformationLocalSystemZone
                                                                                • String ID:
                                                                                • API String ID: 2475273158-0
                                                                                • Opcode ID: 41f6fe186c5cf0a50621abcb11419ab0151f3728c907bd3747c898918094e503
                                                                                • Instruction ID: 002e9a191b731f223631f3c6d9fb3d98a4c822238cf54092e62b9e0af67317aa
                                                                                • Opcode Fuzzy Hash: 41f6fe186c5cf0a50621abcb11419ab0151f3728c907bd3747c898918094e503
                                                                                • Instruction Fuzzy Hash: CA2165E9800019A5CF22AF99E8049FF77B9EB04727F408556F915D6290F3384E8BD72A
                                                                                Function 004194D0 Relevance: 4.5, APIs: 3, Instructions: 49keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyState.USER32(00000011), ref: 00419501
                                                                                • GetKeyState.USER32(00000010), ref: 00419516
                                                                                • GetKeyState.USER32(00000012), ref: 0041952B
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: State
                                                                                • String ID:
                                                                                • API String ID: 1649606143-0
                                                                                • Opcode ID: f854ff5a8a4a0637ceff0a47e203db9ad724a059229bc976ecba1a21a0df92f0
                                                                                • Instruction ID: 4389f8478fe95adf4f13b392be0fae3b2e92c0597256a27a03b697ca344631da
                                                                                • Opcode Fuzzy Hash: f854ff5a8a4a0637ceff0a47e203db9ad724a059229bc976ecba1a21a0df92f0
                                                                                • Instruction Fuzzy Hash: 7201D63FC4816667EF691A68A5387F656430750F50FA90077DA4C37381C54C5DCB239B
                                                                                Function 00460970 Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b0a9264c043ca07ebfb136a857964bf27f59fe67a6cd810047c211f5aaf780d7
                                                                                • Instruction ID: 12bc4534baffc8fdb7c2bc3ec4c6448d0121ccdd54a3aa412a2eb4a36b7ef8fe
                                                                                • Opcode Fuzzy Hash: b0a9264c043ca07ebfb136a857964bf27f59fe67a6cd810047c211f5aaf780d7
                                                                                • Instruction Fuzzy Hash: EEF01DB1500109AAEF019F61CC089AF7BAAAF00354B048427F915D5162FB38DA59DB5B
                                                                                Function 004764E3 Relevance: 4.5, APIs: 3, Instructions: 29keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyState.USER32(00000010), ref: 0047650A
                                                                                • GetKeyState.USER32(00000011), ref: 00476513
                                                                                • GetKeyState.USER32(00000012), ref: 0047651C
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: State
                                                                                • String ID:
                                                                                • API String ID: 1649606143-0
                                                                                • Opcode ID: 475b7dcb2aa62a22ae3d84416d0d3f954cf3a7f4e6abab3349943c82eb429efd
                                                                                • Instruction ID: 8e522b567b79a2b8b78154af51e28460a197d8f36fa87ef8e79c4ce9b481945e
                                                                                • Opcode Fuzzy Hash: 475b7dcb2aa62a22ae3d84416d0d3f954cf3a7f4e6abab3349943c82eb429efd
                                                                                • Instruction Fuzzy Hash: D2E02BB5540649BDEA005280BB00FD52ED18B14791F42C857EA4CFB09CC6B8C946B769
                                                                                Function 00405240 Relevance: 3.0, APIs: 2, Instructions: 20fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileA.KERNEL32 ref: 00405252
                                                                                • FindClose.KERNEL32(00000000), ref: 0040525E
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$CloseFileFirst
                                                                                • String ID:
                                                                                • API String ID: 2295610775-0
                                                                                • Opcode ID: 2243885805e20c05c0951e1674011a8819d3cf3125c8b63991e5cade23049c79
                                                                                • Instruction ID: c22556dae8547d578c9d19c7116c7680a516cc90ea8213259f358050acbc3e9d
                                                                                • Opcode Fuzzy Hash: 2243885805e20c05c0951e1674011a8819d3cf3125c8b63991e5cade23049c79
                                                                                • Instruction Fuzzy Hash: E1E0E5785043409FD321DB24D8889AA77A5BB89320F944B68E8AC873E0D73998198A52
                                                                                Function 00419320 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileA.KERNEL32(?,?), ref: 00419330
                                                                                • FindClose.KERNEL32(00000000), ref: 0041933C
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$CloseFileFirst
                                                                                • String ID:
                                                                                • API String ID: 2295610775-0
                                                                                • Opcode ID: a44a59ff2fbb1b439b465b7238aca37b643cbdcef72f8d62d4079e3eb1ef1dde
                                                                                • Instruction ID: 889418547be0fe6b02e3e2b71d01fe94ce105856d8aa224dcdf0167fc9b75706
                                                                                • Opcode Fuzzy Hash: a44a59ff2fbb1b439b465b7238aca37b643cbdcef72f8d62d4079e3eb1ef1dde
                                                                                • Instruction Fuzzy Hash: 0FD05E744242005BD321AB74DC086AA3298AB48310FC40A28BD2CC12E0E63EC8588611
                                                                                Function 0046C9A2 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetUnhandledExceptionFilter.KERNEL32(Function_0006C95C), ref: 0046C9A7
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled
                                                                                • String ID:
                                                                                • API String ID: 3192549508-0
                                                                                • Opcode ID: 7351295a068a2a674d2fbcf8cfabc30a9d23c1b6e446c181643ee7482e3cca65
                                                                                • Instruction ID: 4772fbd28958ed26f988b2fbf7875af8be785f98c40269da5ca9222171bd0688
                                                                                • Opcode Fuzzy Hash: 7351295a068a2a674d2fbcf8cfabc30a9d23c1b6e446c181643ee7482e3cca65
                                                                                • Instruction Fuzzy Hash: 4BA022F00822008B8B002F20AE882083EB0BA08302B0000AEE80280B20FB30000CFB0B
                                                                                Function 0046C9B4 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetUnhandledExceptionFilter.KERNEL32 ref: 0046C9B9
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled
                                                                                • String ID:
                                                                                • API String ID: 3192549508-0
                                                                                • Opcode ID: 77b585073a9b7accdd9b39f69d7b04196205c75061b7384bd0c80148480e9cd8
                                                                                • Instruction ID: 7064464f4d6d4493fe47b8670a229b8a1196c2241c9dd26eeb6842ea37adf680
                                                                                • Opcode Fuzzy Hash: 77b585073a9b7accdd9b39f69d7b04196205c75061b7384bd0c80148480e9cd8
                                                                                • Instruction Fuzzy Hash:
                                                                                Function 00434EB0 Relevance: 80.0, APIs: 53, Instructions: 459windowsleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDC.USER32(?), ref: 00434ED2
                                                                                  • Part of subcall function 0041A890: EnumDisplaySettingsA.USER32(00000000,000000FF,?), ref: 0041A89F
                                                                                • SetStretchBltMode.GDI32(00000000,00000000), ref: 00434EE5
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 00434EF2
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 00434EF7
                                                                                • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00434F48
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00434F5C
                                                                                • SelectObject.GDI32(?,?), ref: 00434F86
                                                                                • PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 00434FA8
                                                                                • SelectObject.GDI32(?,?), ref: 00434FB8
                                                                                • SelectObject.GDI32(?,?), ref: 00434FC4
                                                                                • GetTickCount.KERNEL32 ref: 00435012
                                                                                • SelectObject.GDI32(?,?), ref: 0043504A
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00435066
                                                                                • BitBlt.GDI32(?,?,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0043508B
                                                                                • SelectObject.GDI32(00000000,?), ref: 00435097
                                                                                • DeleteObject.GDI32(00000000), ref: 0043509E
                                                                                • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004350E2
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 004350EE
                                                                                • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,00000000,00CC0020), ref: 00435113
                                                                                • SelectObject.GDI32(00000000,?), ref: 0043511F
                                                                                • SelectObject.GDI32(00000000,?), ref: 00435127
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 0043513C
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 00435145
                                                                                • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0043515B
                                                                                • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00435173
                                                                                • SelectObject.GDI32(00000000,?), ref: 00435183
                                                                                • SelectObject.GDI32(00000000,?), ref: 00435193
                                                                                • SetBkColor.GDI32(00000000,?), ref: 004351A5
                                                                                • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 004351C6
                                                                                • SetBkColor.GDI32(00000000,?), ref: 004351D2
                                                                                • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00330008), ref: 004351EF
                                                                                • BitBlt.GDI32(?,?,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 00435214
                                                                                • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 00435231
                                                                                • BitBlt.GDI32(?,?,00000000,?,?,00000000,00000000,00000000,00EE0086), ref: 00435256
                                                                                • SelectObject.GDI32(00000000,?), ref: 00435262
                                                                                • DeleteObject.GDI32(00000000), ref: 00435269
                                                                                • SelectObject.GDI32(00000000,?), ref: 00435275
                                                                                • DeleteObject.GDI32(00000000), ref: 0043527C
                                                                                • DeleteDC.GDI32(00000000), ref: 00435289
                                                                                • DeleteDC.GDI32(00000000), ref: 0043528C
                                                                                • SelectObject.GDI32(00000000,?), ref: 004352C5
                                                                                • DeleteObject.GDI32(?), ref: 004352CC
                                                                                • IsWindow.USER32(?), ref: 004352D6
                                                                                • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0043533A
                                                                                • BitBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00CC0020), ref: 00435364
                                                                                • SelectObject.GDI32(?,?), ref: 00435374
                                                                                • Sleep.KERNEL32(0000000A), ref: 004353C0
                                                                                • GetTickCount.KERNEL32 ref: 004353C6
                                                                                • DeleteObject.GDI32(00000000), ref: 004353F3
                                                                                • DeleteDC.GDI32(00000000), ref: 00435400
                                                                                • DeleteDC.GDI32(?), ref: 00435407
                                                                                • ReleaseDC.USER32(?,00000000), ref: 0043540E
                                                                                  • Part of subcall function 004349F0: GetClientRect.USER32(?,?), ref: 00434A17
                                                                                  • Part of subcall function 004349F0: __ftol.LIBCMT ref: 00434AEE
                                                                                  • Part of subcall function 004349F0: __ftol.LIBCMT ref: 00434B01
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Object$Select$Delete$Create$Compatible$Bitmap$ColorCountStretchTick__ftol$ClientDisplayEnumModeRectReleaseSettingsSleepWindow
                                                                                • String ID:
                                                                                • API String ID: 1975044605-0
                                                                                • Opcode ID: b9153c0c49b3b05573ed07e31508fdaf77b349cd4dda8dc8ee5560d61bc07a52
                                                                                • Instruction ID: ef5862c8c39f674d743705185f4918cb703b55ebe8a31f2f51258a9ccbf0833d
                                                                                • Opcode Fuzzy Hash: b9153c0c49b3b05573ed07e31508fdaf77b349cd4dda8dc8ee5560d61bc07a52
                                                                                • Instruction Fuzzy Hash: 6202F6B1214700AFD364DF65DC85F6BB7E9FB89B04F10491DFA9697290C7B4E8048B29
                                                                                Function 00433860 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 356windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041A0A0: SendMessageA.USER32(?,00000143,00000000,?), ref: 0041A0C3
                                                                                • GetProfileStringA.KERNEL32(windows,device,,,,,?,000001F4), ref: 004338B9
                                                                                • GetProfileStringA.KERNEL32(devices,00000000,0050626C,?,00001000), ref: 004338F8
                                                                                • GetProfileStringA.KERNEL32(devices,?,,,,,?,000000C8), ref: 0043393A
                                                                                • SendMessageA.USER32(?,00000143,00000000), ref: 004339FB
                                                                                • SendMessageA.USER32(?,0000014E,?,00000000), ref: 00433A38
                                                                                • SendMessageA.USER32(?,0000014E,?,00000000), ref: 00433ADB
                                                                                • wsprintfA.USER32 ref: 00433AF4
                                                                                • wsprintfA.USER32 ref: 00433B1A
                                                                                • wsprintfA.USER32 ref: 00433B40
                                                                                • SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00433B73
                                                                                • SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00433B9E
                                                                                • SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00433BB4
                                                                                • SendMessageA.USER32(?,0000014E,?,00000000), ref: 00433BCB
                                                                                • SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00433C0F
                                                                                • wsprintfA.USER32 ref: 00433C22
                                                                                • wsprintfA.USER32 ref: 00433C4C
                                                                                • SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00433C72
                                                                                • SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00433CB3
                                                                                • wsprintfA.USER32 ref: 00433CC4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend$wsprintf$ProfileString
                                                                                • String ID: ,,,$device$devices$none$windows
                                                                                • API String ID: 2373861888-528626633
                                                                                • Opcode ID: 55527e2ca8cdc86dd2883f5a78c5811f979820292297cd78726d904f36f5e9e4
                                                                                • Instruction ID: e228d98b62916281cfa8e8f3500e2cef2db2a610d57d996b1c7a1740866e4d18
                                                                                • Opcode Fuzzy Hash: 55527e2ca8cdc86dd2883f5a78c5811f979820292297cd78726d904f36f5e9e4
                                                                                • Instruction Fuzzy Hash: 44C1D871244705ABD624DF74CC82FEB73A89F88709F10491EF55A971D0EAB8FA04CB69
                                                                                Function 004118C0 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 293windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFocus.USER32 ref: 0041194F
                                                                                • GetWindowRect.USER32(?,?), ref: 004119A6
                                                                                • GetParent.USER32(?), ref: 004119B6
                                                                                • GetParent.USER32(?), ref: 004119E9
                                                                                • GlobalSize.KERNEL32(00000000), ref: 00411A33
                                                                                • GlobalLock.KERNEL32(00000000), ref: 00411A3B
                                                                                • IsWindow.USER32(?), ref: 00411A54
                                                                                • GetTopWindow.USER32(?), ref: 00411A91
                                                                                • GetWindow.USER32(00000000,00000002), ref: 00411AAA
                                                                                • SetParent.USER32(?,?), ref: 00411AD6
                                                                                • SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 00411B21
                                                                                • SendMessageA.USER32(?,00008076,00000000,00000000), ref: 00411B30
                                                                                • GetParent.USER32(?), ref: 00411B43
                                                                                • SendMessageA.USER32(?,00008004,00000000,00000000), ref: 00411B5C
                                                                                • GetWindowLongA.USER32(?,000000F0), ref: 00411B64
                                                                                • SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 00411B94
                                                                                • SendMessageA.USER32(?,0000130C,00000000,00000000), ref: 00411BA2
                                                                                • IsWindow.USER32(?), ref: 00411BEE
                                                                                • GetFocus.USER32 ref: 00411BF8
                                                                                • SetFocus.USER32(?,00000000), ref: 00411C10
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00411C1B
                                                                                • GlobalFree.KERNEL32(00000000), ref: 00411C22
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$MessageSend$GlobalParent$Focus$FreeLockLongRectSizeUnlock
                                                                                • String ID: `\A
                                                                                • API String ID: 300820980-2688774508
                                                                                • Opcode ID: 7c4c2db3cc0834d14bb8f33d35d30d4fa508d3c17fe0bd3ac70432b284f48ba0
                                                                                • Instruction ID: ce06db2c828b12d022af6e7e7f5c2d94a2d4f8533af3ee5ff3078fa7004b9ca1
                                                                                • Opcode Fuzzy Hash: 7c4c2db3cc0834d14bb8f33d35d30d4fa508d3c17fe0bd3ac70432b284f48ba0
                                                                                • Instruction Fuzzy Hash: C1A16CB0654300AFD710DF65CC84F6BB7E8AF88700F108A1EFA5597391DB78E8458B59
                                                                                Function 00442E40 Relevance: 38.0, APIs: 25, Instructions: 452windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSysColor.USER32(00000010), ref: 00442EC8
                                                                                  • Part of subcall function 0047A059: SetBkColor.GDI32(?,?), ref: 0047A068
                                                                                  • Part of subcall function 0047A059: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0047A09A
                                                                                • GetSysColor.USER32(00000014), ref: 00442F00
                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 00442F32
                                                                                • GetSysColor.USER32(00000016), ref: 00442F4B
                                                                                • GetSysColor.USER32(0000000F), ref: 00442F5B
                                                                                • DrawEdge.USER32(?,?,00000002,0000000F), ref: 00442F94
                                                                                • GetDeviceCaps.GDI32(?), ref: 0044319E
                                                                                • RealizePalette.GDI32(?), ref: 004431C1
                                                                                • GetSysColor.USER32(00000014), ref: 004431D9
                                                                                • GetSysColor.USER32(0000000F), ref: 004431EB
                                                                                • GetSysColor.USER32(0000000F), ref: 00442EA1
                                                                                  • Part of subcall function 0047A02F: SetBkColor.GDI32(?,?), ref: 0047A039
                                                                                  • Part of subcall function 0047A02F: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0047A04F
                                                                                • GetSysColor.USER32(0000000F), ref: 00442FF8
                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 00443031
                                                                                • GetSysColor.USER32(00000016), ref: 00443046
                                                                                • GetSysColor.USER32(0000000F), ref: 00443052
                                                                                • InflateRect.USER32(?,?,?), ref: 00443093
                                                                                • GetSysColor.USER32(00000010), ref: 00443097
                                                                                • Rectangle.GDI32(?,?,?,?,?), ref: 004430DE
                                                                                • DrawEdge.USER32(?,?,00000002,0000000F), ref: 00443119
                                                                                • DrawEdge.USER32(?,?,00000002,0000000F), ref: 00443220
                                                                                • GetSysColor.USER32(00000010), ref: 0044327D
                                                                                • CreatePen.GDI32(00000000,00000001,00000000), ref: 00443284
                                                                                • InflateRect.USER32(?,?,?), ref: 004432C3
                                                                                • Rectangle.GDI32(?,?,?,?,?), ref: 004432E1
                                                                                • GetDeviceCaps.GDI32(?,00000026), ref: 00443317
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Color$InflateRect$DrawEdge$CapsDeviceRectangleText$CreatePaletteRealize
                                                                                • String ID:
                                                                                • API String ID: 3119264602-0
                                                                                • Opcode ID: 825153da0f7bd2745c77ee2f56bff59a4d631c38319d1a8b4b9b56fea47474f8
                                                                                • Instruction ID: 90b99e2acd7fb43c83037c1ea4420eeb4a61ce7af061cde955d57faf7924978e
                                                                                • Opcode Fuzzy Hash: 825153da0f7bd2745c77ee2f56bff59a4d631c38319d1a8b4b9b56fea47474f8
                                                                                • Instruction Fuzzy Hash: 2CF15A71204701AFD714DF64C894F6FB3E9BB88B04F108A2EF65687291DBB4E909CB56
                                                                                Function 0041FE20 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 366windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateDIBitmap.GDI32(?,?,00000004,?,?,00000000), ref: 0041FEAC
                                                                                • CreateCompatibleDC.GDI32(?), ref: 0041FEBE
                                                                                • CreateCompatibleDC.GDI32(?), ref: 0041FEC7
                                                                                • SelectObject.GDI32(00000000,?), ref: 0041FED6
                                                                                • CreateCompatibleBitmap.GDI32(?,?,?), ref: 0041FEE9
                                                                                • SelectObject.GDI32(?,00000000), ref: 0041FEF9
                                                                                • BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0041FF19
                                                                                • SelectObject.GDI32(00000000,?), ref: 0041FF25
                                                                                • DeleteDC.GDI32(00000000), ref: 0041FF32
                                                                                • SelectObject.GDI32(?,?), ref: 0041FF3A
                                                                                • DeleteDC.GDI32(?), ref: 0041FF41
                                                                                • DeleteObject.GDI32(?), ref: 0041FF47
                                                                                • CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 0041FF7D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateObject$Select$BitmapCompatibleDelete
                                                                                • String ID: $($($`\A
                                                                                • API String ID: 1878064223-4165484200
                                                                                • Opcode ID: fde88790c4bd4287eb998a8e96228f6f002e2934c30f5f56e88345181a72f5d5
                                                                                • Instruction ID: 7bf1a6c9b784577fa5fe9171b8a2588cb6ad9c68c0426469ebcd2ed1cdd438f1
                                                                                • Opcode Fuzzy Hash: fde88790c4bd4287eb998a8e96228f6f002e2934c30f5f56e88345181a72f5d5
                                                                                • Instruction Fuzzy Hash: F9D147B16043019FC710CF29E884A6BBBE9EFC9710F10892EF99697350D775E849CB66
                                                                                Function 00433EF0 Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 351windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004737B2: GetWindowTextLengthA.USER32(?), ref: 004737BF
                                                                                  • Part of subcall function 004737B2: GetWindowTextA.USER32(?,00000000,00000000), ref: 004737D7
                                                                                • __ftol.LIBCMT ref: 00433F66
                                                                                • __ftol.LIBCMT ref: 00433FBC
                                                                                • __ftol.LIBCMT ref: 00434012
                                                                                • __ftol.LIBCMT ref: 00434068
                                                                                • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00434089
                                                                                • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004340A3
                                                                                • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0043416B
                                                                                • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0043419D
                                                                                • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 004341BA
                                                                                • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004341DA
                                                                                • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004341F4
                                                                                • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0043420C
                                                                                • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0043422B
                                                                                • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00434294
                                                                                • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004342F9
                                                                                • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0043433B
                                                                                  • Part of subcall function 00475576: GetDlgItem.USER32(?,?), ref: 00475584
                                                                                • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00434367
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend$__ftol$TextWindow$ItemLength
                                                                                • String ID: \VO
                                                                                • API String ID: 2143175130-2422581269
                                                                                • Opcode ID: 8b053fe137b98379662f247915929c592b4b438fb40e5d5d53e5488ada89c153
                                                                                • Instruction ID: 4ae0d0f80eb20ba3dd2c4126f0a4bd91d2b54c00bc7f6e83f2f1094a9bd88d57
                                                                                • Opcode Fuzzy Hash: 8b053fe137b98379662f247915929c592b4b438fb40e5d5d53e5488ada89c153
                                                                                • Instruction Fuzzy Hash: 28D1C2B5540B01ABD324DB70CC42FEB73A4BB88744F10892FF59A862E1DA38F545CB4A
                                                                                Function 00437580 Relevance: 31.7, APIs: 21, Instructions: 205COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000022B8), ref: 00437595
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 004375B8
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 004375C6
                                                                                • waveOutUnprepareHeader.WINMM(?,?,00000020), ref: 004375E8
                                                                                • waveOutPrepareHeader.WINMM(?,?,00000020), ref: 00437631
                                                                                • waveOutWrite.WINMM(?,?,00000020), ref: 0043763E
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 00437648
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00437656
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 00437685
                                                                                • ReleaseSemaphore.KERNEL32(?,00000014,00000000), ref: 004376A3
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 004376AA
                                                                                • waveOutPause.WINMM(?), ref: 004376B9
                                                                                • waveOutReset.WINMM(?), ref: 004376C3
                                                                                • waveOutUnprepareHeader.WINMM(?,00000000,00000020), ref: 004376E1
                                                                                • waveOutUnprepareHeader.WINMM(?,?,00000020), ref: 00437706
                                                                                • EnterCriticalSection.KERNEL32(00506290), ref: 0043771C
                                                                                • LeaveCriticalSection.KERNEL32(00506290), ref: 00437778
                                                                                • CloseHandle.KERNEL32(?), ref: 004377A6
                                                                                • CloseHandle.KERNEL32(?), ref: 004377AC
                                                                                • CloseHandle.KERNEL32(?), ref: 004377B2
                                                                                • DeleteCriticalSection.KERNEL32(?), ref: 004377B8
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$wave$EnterHeaderLeave$CloseHandleUnprepare$DeleteMultipleObjectsPausePrepareReleaseResetSemaphoreWaitWrite
                                                                                • String ID:
                                                                                • API String ID: 361331667-0
                                                                                • Opcode ID: 39454d685e45af71b66388874a06764585216efb490201ad5065550e4a4863f6
                                                                                • Instruction ID: aa08ecfea030826155cf9c27ac2d77838a982f74341053d62e8ba321aad18240
                                                                                • Opcode Fuzzy Hash: 39454d685e45af71b66388874a06764585216efb490201ad5065550e4a4863f6
                                                                                • Instruction Fuzzy Hash: 83719EB5604209AFDB64CF68DC89AAE37A8EF88314F04592AF945D7250C778ED05CB98
                                                                                Function 0041DA60 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 183windowmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetStockObject.GDI32(0000000F), ref: 0041DAB4
                                                                                • GetObjectA.GDI32(?,00000018,?), ref: 0041DAC7
                                                                                • SelectPalette.GDI32(?,00000000,00000000), ref: 0041DB22
                                                                                • RealizePalette.GDI32(?), ref: 0041DB2C
                                                                                • GlobalAlloc.KERNEL32(00000002,00000028), ref: 0041DB36
                                                                                • SelectPalette.GDI32(?,?,00000000), ref: 0041DB4C
                                                                                • GlobalLock.KERNEL32(00000000), ref: 0041DB54
                                                                                • GetDIBits.GDI32(?,?,00000000,?,00000000,00000000,00000000), ref: 0041DB83
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0041DBD9
                                                                                • GlobalReAlloc.KERNEL32(00000000,?,00000002), ref: 0041DBE2
                                                                                • GlobalLock.KERNEL32(00000000), ref: 0041DBEF
                                                                                • GetDIBits.GDI32(?,?,00000000,?,00000000,00000000,00000000), ref: 0041DC12
                                                                                • SelectPalette.GDI32(?,?,00000000), ref: 0041DC25
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0041DC2C
                                                                                • GlobalFree.KERNEL32(00000000), ref: 0041DC33
                                                                                  • Part of subcall function 00477DEE: __EH_prolog.LIBCMT ref: 00477DF3
                                                                                  • Part of subcall function 00477DEE: ReleaseDC.USER32(?,00000000), ref: 00477E12
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Global$Palette$Select$AllocBitsLockObjectUnlock$FreeH_prologRealizeReleaseStock
                                                                                • String ID: (
                                                                                • API String ID: 3986717603-3887548279
                                                                                • Opcode ID: 435d627b15ea19c00748296ca87b64a47aa6ffee157aa11427daaab41014be5e
                                                                                • Instruction ID: 1634841c967d182e34e89c3dfd087a5bf74f14034bdb3ccddf8362dc591beb1f
                                                                                • Opcode Fuzzy Hash: 435d627b15ea19c00748296ca87b64a47aa6ffee157aa11427daaab41014be5e
                                                                                • Instruction Fuzzy Hash: D1616AB25487409FC320DF54CC49B6FB7E8FB89B10F14892DFA8597290D7B5A805CB96
                                                                                Function 004085B0 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 384windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00477EE4: __EH_prolog.LIBCMT ref: 00477EE9
                                                                                  • Part of subcall function 00477EE4: BeginPaint.USER32(?,?,?,?,00407489), ref: 00477F12
                                                                                  • Part of subcall function 00477A95: GetClipBox.GDI32(?,?), ref: 00477A9C
                                                                                • IsRectEmpty.USER32(?), ref: 004085F5
                                                                                • GetCurrentObject.GDI32(?,00000002), ref: 0040863A
                                                                                • GetCurrentObject.GDI32(?,00000001), ref: 0040864D
                                                                                • GetClientRect.USER32 ref: 004086D2
                                                                                • CreatePen.GDI32(-00000003,00000000,?), ref: 004086EE
                                                                                • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 004087B2
                                                                                  • Part of subcall function 00477F56: __EH_prolog.LIBCMT ref: 00477F5B
                                                                                  • Part of subcall function 00477F56: EndPaint.USER32(?,?,?,?,00407503), ref: 00477F78
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CurrentH_prologObjectPaintRect$BeginClientClipCreateEmpty
                                                                                • String ID: gfff
                                                                                • API String ID: 3506841274-1553575800
                                                                                • Opcode ID: cb78df8f8efea29207fd0e0e2a4e82aa2ad0717ad72b5891e70ee69f746d4c50
                                                                                • Instruction ID: 84475fed57fc6309bad2faaa26ced605f9c0754e3701d454ad9ce23e8975f978
                                                                                • Opcode Fuzzy Hash: cb78df8f8efea29207fd0e0e2a4e82aa2ad0717ad72b5891e70ee69f746d4c50
                                                                                • Instruction Fuzzy Hash: 3CE18DB11083419FC714DF64C984A6FB7E8FB84714F508A2EF59993290DB39E909CB6A
                                                                                Function 004163C0 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 245COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetWindowRgn.USER32(?,00000000,00000001), ref: 004163F1
                                                                                • GetWindowRect.USER32(?,?), ref: 0041641E
                                                                                • BeginPath.GDI32(?), ref: 004164A7
                                                                                • MulDiv.KERNEL32(7FFF0000,?,00007FFF), ref: 004164C0
                                                                                • MulDiv.KERNEL32(00000000,?,00007FFF), ref: 004164CF
                                                                                • MulDiv.KERNEL32(3FFF0000,?,00007FFF), ref: 004164F7
                                                                                • MulDiv.KERNEL32(00000000,?,00007FFF), ref: 00416506
                                                                                • EndPath.GDI32(?), ref: 00416521
                                                                                • PathToRegion.GDI32(?), ref: 0041652C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Path$Window$BeginRectRegion
                                                                                • String ID: gfff$gfff
                                                                                • API String ID: 3989698161-3084402119
                                                                                • Opcode ID: 3542b5e7ee9a50fe237b10485d58a1eea6e8a4d88519bd8aaa1bb9eedcedd216
                                                                                • Instruction ID: f7dad664dab1b599b5265a1cc4251b1bcab9878d5f274a0e5e2cb94d2d1e07e8
                                                                                • Opcode Fuzzy Hash: 3542b5e7ee9a50fe237b10485d58a1eea6e8a4d88519bd8aaa1bb9eedcedd216
                                                                                • Instruction Fuzzy Hash: 4B81F5B16047419BC714DF25CC85AABB7E9FB94704F05892EF58A83390DA38E849C766
                                                                                Function 004326F0 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 255windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CopyRect.USER32(?,?), ref: 00432726
                                                                                  • Part of subcall function 004780E1: __EH_prolog.LIBCMT ref: 004780E6
                                                                                  • Part of subcall function 004780E1: CreateSolidBrush.GDI32(?), ref: 00478103
                                                                                • FillRect.USER32(?,?,00000000), ref: 00432764
                                                                                • GetSystemMetrics.USER32(0000002E), ref: 0043278D
                                                                                • GetSystemMetrics.USER32(0000002D), ref: 00432793
                                                                                • DrawFrameControl.USER32(?,?,00000003,?), ref: 00432806
                                                                                • DrawEdge.USER32(?,?,0000000A,0000000F), ref: 00432819
                                                                                • InflateRect.USER32(?,00FFFFFD,00000001), ref: 00432834
                                                                                • GetSysColor.USER32(0000000F), ref: 00432858
                                                                                • Rectangle.GDI32(?,?,?,?,?), ref: 004328AB
                                                                                • OffsetRect.USER32(?,00000001,00000001), ref: 00432915
                                                                                • GetSysColor.USER32(00000014), ref: 0043291B
                                                                                • OffsetRect.USER32(?,000000FF,000000FF), ref: 00432943
                                                                                • GetSysColor.USER32(00000010), ref: 00432949
                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 00432992
                                                                                • DrawFocusRect.USER32(?,?), ref: 004329A1
                                                                                  • Part of subcall function 004737B2: GetWindowTextLengthA.USER32(?), ref: 004737BF
                                                                                  • Part of subcall function 004737B2: GetWindowTextA.USER32(?,00000000,00000000), ref: 004737D7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Rect$ColorDraw$InflateMetricsOffsetSystemTextWindow$BrushControlCopyCreateEdgeFillFocusFrameH_prologLengthRectangleSolid
                                                                                • String ID: \VO
                                                                                • API String ID: 4239342997-2422581269
                                                                                • Opcode ID: 1abf5de5de815b56706138afbfcc1de0515ae9c7abca7ff1e9d760a1b38c9eee
                                                                                • Instruction ID: 3cf1ac0d6f2977c022c9e2c05122f9251f9e25d67f3a6ce3f4c396b2b7882b70
                                                                                • Opcode Fuzzy Hash: 1abf5de5de815b56706138afbfcc1de0515ae9c7abca7ff1e9d760a1b38c9eee
                                                                                • Instruction Fuzzy Hash: 97A18970208345AFD704DF68C888A6BBBE8FF88714F004A1DF59587390DBB4E949CB56
                                                                                Function 00474CEE Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 174windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00475650: GetWindowLongA.USER32(?,000000F0), ref: 0047565C
                                                                                • GetParent.USER32(?), ref: 00474D19
                                                                                • SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 00474D3C
                                                                                • GetWindowRect.USER32(?,?), ref: 00474D55
                                                                                • GetWindowLongA.USER32(00000000,000000F0), ref: 00474D68
                                                                                • CopyRect.USER32(?,?), ref: 00474DB5
                                                                                • CopyRect.USER32(?,?), ref: 00474DBF
                                                                                • GetWindowRect.USER32(00000000,?), ref: 00474DC8
                                                                                • CopyRect.USER32(?,?), ref: 00474DE4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Rect$Window$Copy$Long$MessageParentSend
                                                                                • String ID: ($@
                                                                                • API String ID: 808654186-1311469180
                                                                                • Opcode ID: dc271aa11eab96b35872365d5beb9c8ff005cc99d9ee8cee52f3bbad3cab86c8
                                                                                • Instruction ID: 33aaa6eebd9b44d4df325afcfff1a2668f3269a5d66366098d758c5bd0ebcb1e
                                                                                • Opcode Fuzzy Hash: dc271aa11eab96b35872365d5beb9c8ff005cc99d9ee8cee52f3bbad3cab86c8
                                                                                • Instruction Fuzzy Hash: FB518572900219AFDB11DBA8CC85EFE7BBDAF84710F15451AF905F7281D734AD058B68
                                                                                Function 0045F2E0 Relevance: 25.8, APIs: 17, Instructions: 262fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,00000000,?,00000000,?,0045EF88,?,?,00000003), ref: 0045F304
                                                                                • CloseHandle.KERNEL32(00000000,?,?,0045EF88,?,?,00000003), ref: 0045F329
                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,?,?,0045EF88,?,?,00000003), ref: 0045F34E
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$CreateFile
                                                                                • String ID:
                                                                                • API String ID: 1378612225-0
                                                                                • Opcode ID: e5d64c4776824d1a6600e4c5e7c706abb6d202df391aab16010049e900b5a72c
                                                                                • Instruction ID: 93a5b94ac9923f3a0d88f560276e6fa69721c295438eab342225148944b91d43
                                                                                • Opcode Fuzzy Hash: e5d64c4776824d1a6600e4c5e7c706abb6d202df391aab16010049e900b5a72c
                                                                                • Instruction Fuzzy Hash: 3B71D6B27006047BD350EB64AC49B6F7358EB94325F14053EFD0AE6242FA29E50DC7AB
                                                                                Function 00425E90 Relevance: 24.8, APIs: 8, Strings: 6, Instructions: 282COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProfileStringA.KERNEL32(windows,device,,,,,?,000001F4), ref: 00425F0F
                                                                                • GetProfileStringA.KERNEL32(devices,00000000,005061F8,?,00001000), ref: 00425F43
                                                                                • GetProfileStringA.KERNEL32(devices,?,,,,,?,000000C8), ref: 00425FCA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ProfileString
                                                                                • String ID: ,,,$\VO$device$devices$none$windows
                                                                                • API String ID: 1468043044-979354821
                                                                                • Opcode ID: 462362b1efea64711f958d32f810c43c0a75208805c48dab6a357b303f9df8a3
                                                                                • Instruction ID: 72a3fcc8f70a006dab4db8beaee3707adff94381c471827522dd11c0ade0c22b
                                                                                • Opcode Fuzzy Hash: 462362b1efea64711f958d32f810c43c0a75208805c48dab6a357b303f9df8a3
                                                                                • Instruction Fuzzy Hash: ABB19770218381DFD320DF65C881BEBB7E4AF99358F400A1EF95993291DB78A904CB67
                                                                                Function 00460842 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(USER32,?,?,?,0046097B), ref: 00460864
                                                                                • GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 0046087C
                                                                                • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0046088D
                                                                                • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0046089E
                                                                                • GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 004608AF
                                                                                • GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 004608C0
                                                                                • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004608D1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModule
                                                                                • String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
                                                                                • API String ID: 667068680-2376520503
                                                                                • Opcode ID: d13820b460386aebcabd403ba4983d4676148ab36bbcd71366257b50b4b90d2e
                                                                                • Instruction ID: 5b45710062983dbec34d8486d3dc9b0a2c00a7010c6b970f7802fab2d545ebf1
                                                                                • Opcode Fuzzy Hash: d13820b460386aebcabd403ba4983d4676148ab36bbcd71366257b50b4b90d2e
                                                                                • Instruction Fuzzy Hash: 09119D70E022119FDB13AF25ACC95AFBAE4B65C7A4360843FD009D3251E7F84459AA6B
                                                                                Function 00440FC0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 372COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00477EE4: __EH_prolog.LIBCMT ref: 00477EE9
                                                                                  • Part of subcall function 00477EE4: BeginPaint.USER32(?,?,?,?,00407489), ref: 00477F12
                                                                                  • Part of subcall function 00440510: GetWindowExtEx.GDI32(?,?), ref: 00440533
                                                                                • MulDiv.KERNEL32(?,00000064,?), ref: 0044107B
                                                                                • GetClientRect.USER32(?,?), ref: 00441109
                                                                                • DPtoLP.GDI32(?,?,00000002), ref: 0044111E
                                                                                • OffsetRect.USER32 ref: 0044116D
                                                                                • Rectangle.GDI32(?,?,?,?,?), ref: 004411AB
                                                                                • FillRect.USER32(?,?,?), ref: 00441203
                                                                                • FillRect.USER32(?,00000032,?), ref: 00441246
                                                                                • LPtoDP.GDI32(?,?,00000002), ref: 004412EF
                                                                                • IsRectEmpty.USER32(?), ref: 004412F6
                                                                                • CreateRectRgnIndirect.GDI32(?), ref: 0044133A
                                                                                  • Part of subcall function 00477AA5: SelectClipRgn.GDI32(?,00000000), ref: 00477AC7
                                                                                  • Part of subcall function 00477AA5: SelectClipRgn.GDI32(?,?), ref: 00477ADD
                                                                                • LPtoDP.GDI32(?,?,00000001), ref: 0044137A
                                                                                • DPtoLP.GDI32(?,?,00000001), ref: 004413A1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Rect$ClipFillSelect$BeginClientCreateEmptyH_prologIndirectOffsetPaintRectangleWindow
                                                                                • String ID: 2
                                                                                • API String ID: 2521159323-450215437
                                                                                • Opcode ID: e535424e4969fd1bee50bcc5fd7d5d7d4b1079d50ea380a4ee942e4176eda42f
                                                                                • Instruction ID: b5526800f66695e85caf96ce22d6fcee9c0ff35ef3e05dbb7cc50012dae84c19
                                                                                • Opcode Fuzzy Hash: e535424e4969fd1bee50bcc5fd7d5d7d4b1079d50ea380a4ee942e4176eda42f
                                                                                • Instruction Fuzzy Hash: EBE129716087409FD324DF69C880B6BB7E9BBC8704F408A2EF59A87351DB74E948CB56
                                                                                Function 00412710 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 310libraryregistryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,005057D0,00000000), ref: 004127F4
                                                                                • LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,004EBC78,?,?,?,?,?,?,00000000,005057D0,00000000), ref: 00412831
                                                                                • GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 00412867
                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,005057D0,00000000), ref: 00412872
                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,005057D0,00000000), ref: 00412880
                                                                                • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0041298D
                                                                                • RegisterTypeLib.OLEAUT32(00000000,00000000), ref: 004129C2
                                                                                • CLSIDFromString.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,005057D0,00000000), ref: 00412A87
                                                                                • UnRegisterTypeLib.OLEAUT32(?,00000000,00000000,00000000,00000001), ref: 00412AA3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Library$LoadType$FreeRegister$AddressFromProcString
                                                                                • String ID: DllRegisterServer$DllUnregisterServer$\VO$`\A
                                                                                • API String ID: 2476498075-2904461489
                                                                                • Opcode ID: 2c1f902cf2e2e42bd959cb8b9514c15467df9952a7daf8a10a884e138e973be2
                                                                                • Instruction ID: 2a7cd6143d08823eed12b8c27d4c3e0507f0e7245fdf56a52279f6a062aea394
                                                                                • Opcode Fuzzy Hash: 2c1f902cf2e2e42bd959cb8b9514c15467df9952a7daf8a10a884e138e973be2
                                                                                • Instruction Fuzzy Hash: B7B1D2B0900209ABDB14EFA4C945BEF7378EF44318F14861EF815E7281DBB89E45CB65
                                                                                Function 0046FB8A Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 119registryclipboardwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0047ADA8: TlsGetValue.KERNEL32(00000000,?,00000000,0047A82F,0047A12E,0047A84B,00476126,004773C2,?,00000000,?,0046EFFB,00000000,00000000,00000000,00000000), ref: 0047ADE7
                                                                                • RegisterClipboardFormatA.USER32(commdlg_LBSelChangedNotify), ref: 0046FBE2
                                                                                • RegisterClipboardFormatA.USER32(commdlg_ShareViolation), ref: 0046FBEE
                                                                                • RegisterClipboardFormatA.USER32(commdlg_FileNameOK), ref: 0046FBFA
                                                                                • RegisterClipboardFormatA.USER32(commdlg_ColorOK), ref: 0046FC06
                                                                                • RegisterClipboardFormatA.USER32(commdlg_help), ref: 0046FC12
                                                                                • RegisterClipboardFormatA.USER32(commdlg_SetRGBColor), ref: 0046FC1E
                                                                                  • Part of subcall function 0047550D: SetWindowLongA.USER32(?,000000FC,00000000), ref: 0047553C
                                                                                • SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 0046FD11
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ClipboardFormatRegister$LongMessageSendValueWindow
                                                                                • String ID: commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
                                                                                • API String ID: 3913284445-3888057576
                                                                                • Opcode ID: be2e6bc80918cd9e81a3b6603a6f9dad23a3bf797affcb16a16c028d49ff66a2
                                                                                • Instruction ID: e8cbde16e72be945a173f910a9890911ac1ff162c4cd2530079f0ce0d075924f
                                                                                • Opcode Fuzzy Hash: be2e6bc80918cd9e81a3b6603a6f9dad23a3bf797affcb16a16c028d49ff66a2
                                                                                • Instruction Fuzzy Hash: 3941C870600209EBDB219F25ED54AAE3BE1FB54350F10843BF845573A1E7786889DBAB
                                                                                Function 00420260 Relevance: 22.8, APIs: 15, Instructions: 305windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041A890: EnumDisplaySettingsA.USER32(00000000,000000FF,?), ref: 0041A89F
                                                                                • SetStretchBltMode.GDI32(?,00000000), ref: 00420274
                                                                                • CreateCompatibleDC.GDI32(?), ref: 004202F9
                                                                                • CreateCompatibleDC.GDI32(?), ref: 00420311
                                                                                • GetObjectA.GDI32(?,00000018,?), ref: 00420352
                                                                                • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00420368
                                                                                • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 004203C6
                                                                                • StretchBlt.GDI32(?,000000FF,?,?,?,?,00000000,00000000,?,?,00660046), ref: 0042041F
                                                                                • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,008800C6), ref: 00420459
                                                                                • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00420493
                                                                                • CreateCompatibleDC.GDI32(?), ref: 0042050B
                                                                                • SelectObject.GDI32(00000000,?), ref: 00420518
                                                                                • StretchBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?), ref: 0042055B
                                                                                • SelectObject.GDI32(00000000,?), ref: 00420567
                                                                                • DeleteDC.GDI32(00000000), ref: 0042056E
                                                                                • DrawIconEx.USER32(?,?,?,?,?,?,00000000,00000000,00000003), ref: 004205AD
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Stretch$Create$CompatibleObject$Select$BitmapDeleteDisplayDrawEnumIconModeSettings
                                                                                • String ID:
                                                                                • API String ID: 1298110373-0
                                                                                • Opcode ID: 0537f947b89385689be2f9d7d032549ad8574c3dea090f18741f97c5f748d6fa
                                                                                • Instruction ID: 17619965480f62b14a52ff191b809c7ce4d7e6d4c3db2964fc58394abe64549d
                                                                                • Opcode Fuzzy Hash: 0537f947b89385689be2f9d7d032549ad8574c3dea090f18741f97c5f748d6fa
                                                                                • Instruction Fuzzy Hash: 50B14771204704AFD260DB24DC85F6BB7E9FB88714F508A1DFAA987291DB34EC058B66
                                                                                Function 00407990 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 430COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00477EE4: __EH_prolog.LIBCMT ref: 00477EE9
                                                                                  • Part of subcall function 00477EE4: BeginPaint.USER32(?,?,?,?,00407489), ref: 00477F12
                                                                                  • Part of subcall function 00477A95: GetClipBox.GDI32(?,?), ref: 00477A9C
                                                                                • IsRectEmpty.USER32(?), ref: 004079D7
                                                                                • GetClientRect.USER32(?,?), ref: 004079EF
                                                                                • InflateRect.USER32(?,?,?), ref: 00407AAD
                                                                                • IntersectRect.USER32(?,?,?), ref: 00407B17
                                                                                • CreateRectRgn.GDI32(?,?,?,?), ref: 00407B31
                                                                                • FillRgn.GDI32(?,?,?), ref: 00407CF0
                                                                                • GetCurrentObject.GDI32(?,00000006), ref: 00407D6F
                                                                                  • Part of subcall function 0047763C: GetStockObject.GDI32(?), ref: 00477645
                                                                                  • Part of subcall function 0047763C: SelectObject.GDI32(?,00000000), ref: 0047765F
                                                                                  • Part of subcall function 0047763C: SelectObject.GDI32(?,00000000), ref: 0047766A
                                                                                • OffsetRect.USER32(?,00000001,00000001), ref: 00407E4D
                                                                                • OffsetRect.USER32(?,00000002,00000002), ref: 00407EE1
                                                                                • OffsetRect.USER32(?,00000001,00000001), ref: 00407E94
                                                                                  • Part of subcall function 0047780C: SetTextColor.GDI32(?,?), ref: 00477826
                                                                                  • Part of subcall function 0047780C: SetTextColor.GDI32(?,?), ref: 00477834
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Rect$Object$Offset$ColorSelectText$BeginClientClipCreateCurrentEmptyFillH_prologInflateIntersectPaintStock
                                                                                • String ID: \VO$`\A
                                                                                • API String ID: 4264835570-155183320
                                                                                • Opcode ID: 21ed0e643a88cbe9fce1cc9bc6fe74b20f5628e7b51a1746d9653e32ba41e356
                                                                                • Instruction ID: f1cb8365919adad034e9c0048380ad3851465d879629627dbbddc62b84a7a698
                                                                                • Opcode Fuzzy Hash: 21ed0e643a88cbe9fce1cc9bc6fe74b20f5628e7b51a1746d9653e32ba41e356
                                                                                • Instruction Fuzzy Hash: 970258715083809FC324DF65C884AABB7E9AFD8304F404D2EF19A97391DB78A949CB57
                                                                                Function 004371A0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 331threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0043730B
                                                                                • CreateSemaphoreA.KERNEL32(00000000,00000014,00000014,00000000), ref: 00437320
                                                                                • InitializeCriticalSection.KERNEL32(?), ref: 0043734B
                                                                                • CreateThread.KERNEL32(00000000,00000000,00437580,?,00000004,?), ref: 00437380
                                                                                • EnterCriticalSection.KERNEL32(00506290), ref: 00437392
                                                                                • LeaveCriticalSection.KERNEL32(00506290,?,?,?), ref: 00437545
                                                                                • ResumeThread.KERNEL32(?), ref: 00437553
                                                                                • ReleaseSemaphore.KERNEL32(?,00000014,00000000), ref: 00437565
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateCriticalSection$SemaphoreThread$EnterEventInitializeLeaveReleaseResume
                                                                                • String ID: RIFF$WAVE$data$fmt
                                                                                • API String ID: 1802393137-4212202414
                                                                                • Opcode ID: 1f4f1fb0654d643843ba443eee6c62bf41dbaafe7756f7bda6b53ceec7718e72
                                                                                • Instruction ID: 3b36d0e92ecd7ea351ef81ddf933bb2881005b542b3d166f59ff4336fec43f12
                                                                                • Opcode Fuzzy Hash: 1f4f1fb0654d643843ba443eee6c62bf41dbaafe7756f7bda6b53ceec7718e72
                                                                                • Instruction Fuzzy Hash: B4B102B56043019FD724DB24DC81A2F77D5FB88318F144A2EFA8697380E6B8ED05CB99
                                                                                Function 0045EEA0 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 296stringlibraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrcpyA.KERNEL32(00000004,Untitled), ref: 0045EEFC
                                                                                • lstrcpyA.KERNEL32(00000108,0050C380), ref: 0045EF0A
                                                                                  • Part of subcall function 0046F09D: __EH_prolog.LIBCMT ref: 0046F0A2
                                                                                  • Part of subcall function 00471416: InterlockedDecrement.KERNEL32(-000000F4), ref: 0047142A
                                                                                • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,?,00000003), ref: 0045F0D6
                                                                                • EnumResourceNamesA.KERNEL32(00000000,0000000E,0045EE60,00000000), ref: 0045F0F1
                                                                                • FreeLibrary.KERNEL32(?,?,?,?,00000003), ref: 0045F146
                                                                                  • Part of subcall function 0045F2E0: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,00000000,?,00000000,?,0045EF88,?,?,00000003), ref: 0045F304
                                                                                  • Part of subcall function 0045F2E0: CloseHandle.KERNEL32(00000000,?,?,0045EF88,?,?,00000003), ref: 0045F329
                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,?,00000003), ref: 0045F264
                                                                                  • Part of subcall function 00471484: lstrlenA.KERNEL32(004EBE14,?,?,?,0041239F,004EBE04,004EBE14,?), ref: 004714AE
                                                                                  • Part of subcall function 00471503: InterlockedIncrement.KERNEL32(-000000F4), ref: 00471546
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Library$FreeInterlockedlstrcpy$CloseCreateDecrementEnumFileH_prologHandleIncrementLoadNamesResourcelstrlen
                                                                                • String ID: Untitled$bmp$dll$exe$icl$ico
                                                                                • API String ID: 512669960-3908647699
                                                                                • Opcode ID: 7b2fdd93bb655b9ba533a1d1734fdcb55384f03c7c1e911517c3e1ce0ba97275
                                                                                • Instruction ID: 87f68cac6fa1f83a54633933f61fd927329eb339b200a04d74b17ee5601f88cd
                                                                                • Opcode Fuzzy Hash: 7b2fdd93bb655b9ba533a1d1734fdcb55384f03c7c1e911517c3e1ce0ba97275
                                                                                • Instruction Fuzzy Hash: F7A10B71504341ABC710EF65CC81AAF77D86B54309F140E2EF99593292EB78E90DC76B
                                                                                Function 0040A020 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 130stringprocessCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,?), ref: 0040A0B8
                                                                                • lstrcatA.KERNEL32(?,\shell\open\command,80000000,.htm,?,?,?,?), ref: 0040A0F7
                                                                                • lstrlenA.KERNEL32(?), ref: 0040A14C
                                                                                • lstrcatA.KERNEL32(00000000,004EBC8C), ref: 0040A195
                                                                                • lstrcatA.KERNEL32(00000000,?), ref: 0040A19D
                                                                                • WinExec.KERNEL32(?,?), ref: 0040A1A5
                                                                                  • Part of subcall function 00471416: InterlockedDecrement.KERNEL32(-000000F4), ref: 0047142A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcat$DecrementExecExecuteInterlockedShelllstrlen
                                                                                • String ID: "%1"$.htm$\VO$\shell\open\command$mailto:$open
                                                                                • API String ID: 51986957-351272319
                                                                                • Opcode ID: c52b00253a0554a0f1561ef04ac30bb903421b257e8e8e7e3b8eb3e00ed38aae
                                                                                • Instruction ID: 1c9faf835a631aa9990e3421a01c6563ae46c5a1cbe0c9043d5f651ae57a446e
                                                                                • Opcode Fuzzy Hash: c52b00253a0554a0f1561ef04ac30bb903421b257e8e8e7e3b8eb3e00ed38aae
                                                                                • Instruction Fuzzy Hash: 2041E731144342ABD324DF65DC84F9BB3A4EB84750F104A2EF955A72D0EB78AC05C7AB
                                                                                Function 0042CA40 Relevance: 19.8, APIs: 13, Instructions: 320windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCapture.USER32 ref: 0042CA5E
                                                                                • SetCapture.USER32(?,?,?,?,?,?,?,?,?,0047E088,000000FF,0042C29D,?,?,?,?), ref: 0042CA7B
                                                                                  • Part of subcall function 00477D7C: __EH_prolog.LIBCMT ref: 00477D81
                                                                                  • Part of subcall function 00477D7C: GetDC.USER32(00000000), ref: 00477DAA
                                                                                  • Part of subcall function 00440510: GetWindowExtEx.GDI32(?,?), ref: 00440533
                                                                                  • Part of subcall function 00477CAA: GetWindowExtEx.GDI32(?,?), ref: 00477CBB
                                                                                  • Part of subcall function 00477CAA: GetViewportExtEx.GDI32(?,?), ref: 00477CC8
                                                                                  • Part of subcall function 00477CAA: MulDiv.KERNEL32(?,00000000,00000000), ref: 00477CED
                                                                                  • Part of subcall function 00477CAA: MulDiv.KERNEL32(?,00000000,00000000), ref: 00477D08
                                                                                  • Part of subcall function 0047783B: SetMapMode.GDI32(?,?), ref: 00477854
                                                                                  • Part of subcall function 0047783B: SetMapMode.GDI32(?,?), ref: 00477862
                                                                                  • Part of subcall function 004777B0: SetROP2.GDI32(?,?), ref: 004777C9
                                                                                  • Part of subcall function 004777B0: SetROP2.GDI32(?,?), ref: 004777D7
                                                                                  • Part of subcall function 00477754: SetBkMode.GDI32(?,?), ref: 0047776D
                                                                                  • Part of subcall function 00477754: SetBkMode.GDI32(?,?), ref: 0047777B
                                                                                  • Part of subcall function 00478091: __EH_prolog.LIBCMT ref: 00478096
                                                                                  • Part of subcall function 00478091: CreatePen.GDI32(?,?,?), ref: 004780B9
                                                                                  • Part of subcall function 00477678: SelectObject.GDI32(?,00000000), ref: 0047769A
                                                                                  • Part of subcall function 00477678: SelectObject.GDI32(?,?), ref: 004776B0
                                                                                • GetCapture.USER32 ref: 0042CB41
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0042CB60
                                                                                • DispatchMessageA.USER32(?), ref: 0042CBA1
                                                                                • DispatchMessageA.USER32(?), ref: 0042CBBD
                                                                                • ScreenToClient.USER32(?,?), ref: 0042CC04
                                                                                • GetCapture.USER32 ref: 0042CC2C
                                                                                • ReleaseCapture.USER32 ref: 0042CC54
                                                                                • ReleaseCapture.USER32 ref: 0042CCB0
                                                                                • DPtoLP.GDI32 ref: 0042CCF4
                                                                                • InvalidateRect.USER32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,?,?), ref: 0042CD7D
                                                                                • InvalidateRect.USER32(?,00000000,00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0042CE0B
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Capture$Mode$Message$DispatchH_prologInvalidateObjectRectReleaseSelectWindow$ClientCreateScreenViewport
                                                                                • String ID:
                                                                                • API String ID: 453157188-0
                                                                                • Opcode ID: 94c846517be21040bb1880835b283ea298a5a98bf9f035a891f81d1e499249dd
                                                                                • Instruction ID: a9d9feff164a58bc1f3445cd106c9e04f289eaa40406c24c17a27bb605ba7f3c
                                                                                • Opcode Fuzzy Hash: 94c846517be21040bb1880835b283ea298a5a98bf9f035a891f81d1e499249dd
                                                                                • Instruction Fuzzy Hash: 9EB1B671208710AFD324EB25D885F6FB7E9BF84704F504A1EF15683291DB78E905CB5A
                                                                                Function 00417CD0 Relevance: 19.7, APIs: 13, Instructions: 187windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$Parent$ActiveChildEnabledFocusUpdateVisible
                                                                                • String ID:
                                                                                • API String ID: 983273251-0
                                                                                • Opcode ID: 256eba9843d91fd78323f9a5e5e5b1632a414b9c0f2d8a220287970851882ebf
                                                                                • Instruction ID: 4470a9682c9feab395cd8ae13c9142f9bdb3a8f6857d57a6888fa44c00c6021b
                                                                                • Opcode Fuzzy Hash: 256eba9843d91fd78323f9a5e5e5b1632a414b9c0f2d8a220287970851882ebf
                                                                                • Instruction Fuzzy Hash: AF51A075A083059BD7249FA1D980AAFBBF8BF44740F04492FF94592310DB38E885CBA9
                                                                                Function 0041F420 Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 405COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InflateRect.USER32(?,?,?), ref: 0041F4C6
                                                                                  • Part of subcall function 0041F1F0: SetRect.USER32(?,00000000,00000032,00000032,?), ref: 0041F2D9
                                                                                  • Part of subcall function 0041F1F0: OffsetRect.USER32(?,?,?), ref: 0041F2E6
                                                                                  • Part of subcall function 0041F1F0: IntersectRect.USER32(?,?,?), ref: 0041F302
                                                                                  • Part of subcall function 0041F1F0: IsRectEmpty.USER32(?), ref: 0041F30D
                                                                                • InflateRect.USER32(?,?,?), ref: 0041F539
                                                                                • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0041F73D
                                                                                • GetClipRgn.GDI32(?,00000000), ref: 0041F74C
                                                                                • CreatePolygonRgn.GDI32 ref: 0041F7CA
                                                                                • SelectClipRgn.GDI32(?,?), ref: 0041F8AD
                                                                                • CreatePolygonRgn.GDI32(?,00000005,00000002), ref: 0041F8D0
                                                                                • SelectClipRgn.GDI32(?,?), ref: 0041F951
                                                                                • DeleteObject.GDI32(?), ref: 0041F967
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Rect$ClipCreate$InflatePolygonSelect$DeleteEmptyIntersectObjectOffset
                                                                                • String ID: `\A$gfff
                                                                                • API String ID: 1105800552-3693403256
                                                                                • Opcode ID: 002463bd868e213b3c005d189c5053b50a67326df2e2d58a4613c1d58e2a01c1
                                                                                • Instruction ID: 21808003a164f294b132e143f502ca60ad606ef5f00e253bb2e44b17dd95ff05
                                                                                • Opcode Fuzzy Hash: 002463bd868e213b3c005d189c5053b50a67326df2e2d58a4613c1d58e2a01c1
                                                                                • Instruction Fuzzy Hash: 63F12A706083419FD324CF19C984BABBBE5BBC8314F108A2EF59987351D774E94ACB56
                                                                                Function 004721F8 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 172COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 004721FD
                                                                                • GetSystemMetrics.USER32(0000002A), ref: 004722AE
                                                                                • GlobalLock.KERNEL32(?), ref: 00472338
                                                                                • CreateDialogIndirectParamA.USER32(?,?,?,Function_00072040,00000000), ref: 0047236A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateDialogGlobalH_prologIndirectLockMetricsParamSystem
                                                                                • String ID: Helv$MS Sans Serif$MS Shell Dlg$\VO
                                                                                • API String ID: 2364537584-3953083670
                                                                                • Opcode ID: 6712e40696192dba4334bfd25885df9e5e14d6970fa915b4632f2d76f07b4467
                                                                                • Instruction ID: fde4db3d83bfafcfc887cc612e2a652cf5ead152118e26608ad6e8270f66426b
                                                                                • Opcode Fuzzy Hash: 6712e40696192dba4334bfd25885df9e5e14d6970fa915b4632f2d76f07b4467
                                                                                • Instruction Fuzzy Hash: 35617E3190020ADFCF10EFA4D9859EEBBB1BF04304F24846FE509A6291DB788E44DB99
                                                                                Function 00433CF0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 130windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00433D0B
                                                                                  • Part of subcall function 004757C9: EnableWindow.USER32(?,00000000), ref: 004757D7
                                                                                  • Part of subcall function 00475576: GetDlgItem.USER32(?,?), ref: 00475584
                                                                                • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00433D45
                                                                                • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00433D5C
                                                                                • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00433DAD
                                                                                • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00433DE7
                                                                                • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00433E14
                                                                                • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00433E4A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend$EnableItemWindow
                                                                                • String ID: D O$P O$\ O$h O
                                                                                • API String ID: 607626308-3003591817
                                                                                • Opcode ID: c4f34f34c212208e42cfb6fb293a5e3e66226cac0385e92f86c9542618333e27
                                                                                • Instruction ID: c5d2a1c0cf419669732a6fff45e4f0234bbcf3fc0023316852f4da3bfb549d37
                                                                                • Opcode Fuzzy Hash: c4f34f34c212208e42cfb6fb293a5e3e66226cac0385e92f86c9542618333e27
                                                                                • Instruction Fuzzy Hash: B1318531380B0077E67866758C96FEB12699BC5F04F10891EB31A9F2C6DDE8F905875C
                                                                                Function 004167A0 Relevance: 18.4, APIs: 12, Instructions: 354COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateRectRgn.GDI32(?,?,?,?), ref: 004167EE
                                                                                • GetClientRect.USER32(?,?), ref: 00416889
                                                                                • CreateRectRgn.GDI32 ref: 004168FA
                                                                                • CombineRgn.GDI32(?,?,004D7FEC,00000004), ref: 0041692B
                                                                                • SetRect.USER32(?,00000000,?,?,?), ref: 00416982
                                                                                • IntersectRect.USER32(?,?,?), ref: 0041698F
                                                                                • IsRectEmpty.USER32(?), ref: 004169BA
                                                                                • __ftol.LIBCMT ref: 00416A98
                                                                                • __ftol.LIBCMT ref: 00416AA5
                                                                                • CreateRectRgn.GDI32(00000000,?,00000000,00000000), ref: 00416AFE
                                                                                • CombineRgn.GDI32(?,?,004D7FEC,00000004), ref: 00416B2F
                                                                                  • Part of subcall function 00420260: SetStretchBltMode.GDI32(?,00000000), ref: 00420274
                                                                                  • Part of subcall function 00420260: CreateCompatibleDC.GDI32(?), ref: 004202F9
                                                                                  • Part of subcall function 00420260: CreateCompatibleDC.GDI32(?), ref: 00420311
                                                                                  • Part of subcall function 00420260: GetObjectA.GDI32(?,00000018,?), ref: 00420352
                                                                                  • Part of subcall function 00420260: CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00420368
                                                                                • FillRgn.GDI32(?,?,00000000), ref: 00416BAC
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Rect$Create$CombineCompatible__ftol$BitmapClientEmptyFillIntersectModeObjectStretch
                                                                                • String ID:
                                                                                • API String ID: 3212946024-0
                                                                                • Opcode ID: a60ac143f793ec1e8565695001fda561b7fec4dd3d7a87a3c07b57fd3af81bff
                                                                                • Instruction ID: 0e6a80a6e4318c68411253c9e066ec459b68b9a8fc38486085164a77caeaf467
                                                                                • Opcode Fuzzy Hash: a60ac143f793ec1e8565695001fda561b7fec4dd3d7a87a3c07b57fd3af81bff
                                                                                • Instruction Fuzzy Hash: 99D19C715083409FC714DF25C884AAFBBE9FBC4344F158A1EF49993251EB34E949CB66
                                                                                Function 0045F6F0 Relevance: 18.1, APIs: 12, Instructions: 146stringlibraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryExA.KERNEL32 ref: 0045F70C
                                                                                • FindResourceA.KERNEL32(00000000,?,0000000E), ref: 0045F72C
                                                                                • LoadResource.KERNEL32(00000000,00000000), ref: 0045F73C
                                                                                • LockResource.KERNEL32(00000000), ref: 0045F74B
                                                                                • lstrcpyA.KERNEL32(00000108,?,00000000,0045F20D,?,?,?,?,?,?,?,00000003), ref: 0045F79A
                                                                                • lstrcpyA.KERNEL32(00000004,005187F4,?,?,?,?,?,00000003), ref: 0045F7A5
                                                                                • FindResourceA.KERNEL32(00000000,00000000,00000003), ref: 0045F7D9
                                                                                • LoadResource.KERNEL32(00000000,00000000), ref: 0045F7EB
                                                                                • SizeofResource.KERNEL32(00000000,00000000), ref: 0045F7FD
                                                                                • LockResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000003), ref: 0045F815
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 0045F86A
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 0045F89A
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Resource$LibraryLoad$FindFreeLocklstrcpy$Sizeof
                                                                                • String ID:
                                                                                • API String ID: 680694701-0
                                                                                • Opcode ID: e9f1649fae0fcbdfd11c1a9c48ec548ff949134455c521bc6e02bfa377c7782b
                                                                                • Instruction ID: c1e52c1d842852864ad50ae5e09fc00e7d3b6428034577f7c2df6316cf1ac212
                                                                                • Opcode Fuzzy Hash: e9f1649fae0fcbdfd11c1a9c48ec548ff949134455c521bc6e02bfa377c7782b
                                                                                • Instruction Fuzzy Hash: 19418EB26003019BD350EB65D948A5BB7E9BF88711F044A3EEC5AD7301EB79E80CC766
                                                                                Function 004174D0 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 387windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsChild.USER32(?,?), ref: 00417508
                                                                                • GetParent.USER32(?), ref: 00417599
                                                                                • IsWindow.USER32(?), ref: 004176CB
                                                                                • IsWindowVisible.USER32(?), ref: 004176DD
                                                                                  • Part of subcall function 004757AE: IsWindowEnabled.USER32(?), ref: 004757B8
                                                                                • GetParent.USER32(?), ref: 0041772E
                                                                                • IsChild.USER32(?,?), ref: 0041774E
                                                                                • GetParent.USER32(?), ref: 004178F7
                                                                                • SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00417914
                                                                                • IsWindow.USER32(?), ref: 0041796F
                                                                                  • Part of subcall function 0040E6D0: IsChild.USER32(?,?), ref: 0040E74D
                                                                                  • Part of subcall function 0040E6D0: GetParent.USER32(?), ref: 0040E767
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ParentWindow$Child$EnabledMessageSendVisible
                                                                                • String ID: `\A
                                                                                • API String ID: 2452671399-2688774508
                                                                                • Opcode ID: aa64087c053f8b682c7e6de7fe95a305eb914c8423ecfcc6edf21f42f63de7f3
                                                                                • Instruction ID: 06ea7e021641c4486a28e1da1497cc32289bdd10cc7d44b10d7623f0a89af477
                                                                                • Opcode Fuzzy Hash: aa64087c053f8b682c7e6de7fe95a305eb914c8423ecfcc6edf21f42f63de7f3
                                                                                • Instruction Fuzzy Hash: D0E18F716083419FD720DF25C884BABB7B5BF84714F004A2EF9959B381DB38E949CB96
                                                                                Function 00408040 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041FE20: CreateDIBitmap.GDI32(?,?,00000004,?,?,00000000), ref: 0041FEAC
                                                                                  • Part of subcall function 0041FE20: CreateCompatibleDC.GDI32(?), ref: 0041FEBE
                                                                                  • Part of subcall function 0041FE20: CreateCompatibleDC.GDI32(?), ref: 0041FEC7
                                                                                  • Part of subcall function 0041FE20: SelectObject.GDI32(00000000,?), ref: 0041FED6
                                                                                  • Part of subcall function 0041FE20: CreateCompatibleBitmap.GDI32(?,?,?), ref: 0041FEE9
                                                                                  • Part of subcall function 0041FE20: SelectObject.GDI32(?,00000000), ref: 0041FEF9
                                                                                  • Part of subcall function 0041FE20: BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0041FF19
                                                                                  • Part of subcall function 0041FE20: SelectObject.GDI32(00000000,?), ref: 0041FF25
                                                                                  • Part of subcall function 0041FE20: DeleteDC.GDI32(00000000), ref: 0041FF32
                                                                                  • Part of subcall function 0041FE20: SelectObject.GDI32(?,?), ref: 0041FF3A
                                                                                  • Part of subcall function 0041FE20: DeleteDC.GDI32(?), ref: 0041FF41
                                                                                • __ftol.LIBCMT ref: 00408165
                                                                                • __ftol.LIBCMT ref: 00408172
                                                                                • CreateRectRgn.GDI32(00000000,?,00000000,?), ref: 004081E4
                                                                                • CombineRgn.GDI32(?,?,004D7AF0,00000004), ref: 0040820A
                                                                                • SetRect.USER32(?,00000000,?,?,?), ref: 00408256
                                                                                • IntersectRect.USER32(?,?,?), ref: 0040826E
                                                                                • IsRectEmpty.USER32(?), ref: 00408299
                                                                                • CreateRectRgn.GDI32(00000000,?,?,00000000), ref: 0040833E
                                                                                • CombineRgn.GDI32(?,?,004D7AF0,00000004), ref: 00408364
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Create$Rect$ObjectSelect$Compatible$BitmapCombineDelete__ftol$EmptyIntersect
                                                                                • String ID: `\A
                                                                                • API String ID: 909876544-2688774508
                                                                                • Opcode ID: 357a318d80e4e3c8d1fd5bdeef9a49cbf78daf671901a178b81949cff686fed4
                                                                                • Instruction ID: 63671907397360969e349ad5660b0327fe40b9bad902412418eba6627bf7169b
                                                                                • Opcode Fuzzy Hash: 357a318d80e4e3c8d1fd5bdeef9a49cbf78daf671901a178b81949cff686fed4
                                                                                • Instruction Fuzzy Hash: 25A17A716083419BC320CF68C984A5FBBE9FBC8744F504A2EF59597391EB74E808CB96
                                                                                Function 004693F4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LCMapStringW.KERNEL32(00000000,00000100,004DEC1C,00000001,00000000,00000000,7622E860,0051AD08,?,?,?,004629ED,?,?,?,00000000), ref: 00469436
                                                                                • LCMapStringA.KERNEL32(00000000,00000100,004DEC18,00000001,00000000,00000000,?,?,004629ED,?,?,?,00000000,00000001), ref: 00469452
                                                                                • LCMapStringA.KERNEL32(?,?,?,)F,?,?,7622E860,0051AD08,?,?,?,004629ED,?,?,?,00000000), ref: 0046949B
                                                                                • MultiByteToWideChar.KERNEL32(?,?,?,)F,00000000,00000000,7622E860,0051AD08,?,?,?,004629ED,?,?,?,00000000), ref: 004694D3
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,004629ED,?,?,?,00000000,00000001), ref: 0046952B
                                                                                • LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,004629ED,?,?,?,00000000,00000001), ref: 00469541
                                                                                • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,004629ED,?,?,?,00000000,00000001), ref: 00469574
                                                                                • LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,004629ED,?,?,?,00000000,00000001), ref: 004695DC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: String$ByteCharMultiWide
                                                                                • String ID: )F
                                                                                • API String ID: 352835431-1070133202
                                                                                • Opcode ID: 7363abf5f5682ae36ce60476e9292e1a49bdb7b9d4ef4710b8faabfbaf433b88
                                                                                • Instruction ID: 3be8cce5d83ac86928851763af1a71f82da28278e5e8115e3b8f9552b7e71d9f
                                                                                • Opcode Fuzzy Hash: 7363abf5f5682ae36ce60476e9292e1a49bdb7b9d4ef4710b8faabfbaf433b88
                                                                                • Instruction Fuzzy Hash: BA518E72500249BBCF228F94CD45ADF7FB8FF48750F10452AF912A1260E3798D51EB6A
                                                                                Function 0041DDA0 Relevance: 16.8, APIs: 11, Instructions: 265windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetObjectA.GDI32(?,00000018,?), ref: 0041DDDD
                                                                                • MulDiv.KERNEL32(?,?,00000064), ref: 0041DE12
                                                                                • MulDiv.KERNEL32(?,?,00000064), ref: 0041DE3D
                                                                                • GetDeviceCaps.GDI32 ref: 0041DE77
                                                                                • GetSystemPaletteEntries.GDI32(?,00000000,000000FF,00000004), ref: 0041DEB1
                                                                                • CreatePalette.GDI32(00000000), ref: 0041DEBC
                                                                                • CreateCompatibleBitmap.GDI32(?,?,?), ref: 0041DF1C
                                                                                • CreateCompatibleDC.GDI32(?), ref: 0041DF4F
                                                                                • CreateCompatibleDC.GDI32(?), ref: 0041DF88
                                                                                • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0041DFEB
                                                                                • GlobalFree.KERNEL32(00000000), ref: 0041E0B3
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Create$Compatible$Palette$BitmapCapsDeviceEntriesFreeGlobalObjectStretchSystem
                                                                                • String ID:
                                                                                • API String ID: 3563226738-0
                                                                                • Opcode ID: 8b213860d65f115ec9d9f929d5eff3fb916814fb8737f405b49db870d71c244d
                                                                                • Instruction ID: 4b63b71474c78258b4da8facf669470d9be33977debdc7d8171cbf374fef7e16
                                                                                • Opcode Fuzzy Hash: 8b213860d65f115ec9d9f929d5eff3fb916814fb8737f405b49db870d71c244d
                                                                                • Instruction Fuzzy Hash: A191E4B15087449FC320EF65C845BAFB7E8AF98714F50491EF69983281DB78E808CB5A
                                                                                Function 00442920 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTextExtentPoint32A.GDI32(?,?,?,00000090), ref: 0044299F
                                                                                • GetTextExtentPoint32A.GDI32(?,?,?,00000090), ref: 004429C4
                                                                                • GetWindowRect.USER32(?,?), ref: 00442A4E
                                                                                • SetRect.USER32(00000080,?,?,?,?), ref: 00442A83
                                                                                • SetRect.USER32(00000070,?,?,?,?), ref: 00442AC8
                                                                                • SetRect.USER32(00000060,?,?,?,?), ref: 00442B3B
                                                                                • GetSystemMetrics.USER32(00000001), ref: 00442B66
                                                                                • GetSystemMetrics.USER32(00000000), ref: 00442B6C
                                                                                • OffsetRect.USER32(00000080,00000000,00000000), ref: 00442B84
                                                                                • OffsetRect.USER32(00000080,00000000,00000000), ref: 00442B92
                                                                                • OffsetRect.USER32(00000080,00000000,00000000), ref: 00442BA4
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Rect$Offset$ExtentMetricsPoint32SystemText$Window
                                                                                • String ID:
                                                                                • API String ID: 1551820068-0
                                                                                • Opcode ID: 9b1b75070c359752abfc581e54bf8ce2c68c067e639640637462b8b3ea684918
                                                                                • Instruction ID: 28797f9e3a3ba4b0bf582012105ec8d93f067c17edc9060daa6845c889502f4a
                                                                                • Opcode Fuzzy Hash: 9b1b75070c359752abfc581e54bf8ce2c68c067e639640637462b8b3ea684918
                                                                                • Instruction Fuzzy Hash: B0912671200B059FD328CF29C985A6AF7E6FF88710F448A2DA99AC7754EB74FC058B54
                                                                                Function 00434B80 Relevance: 16.7, APIs: 11, Instructions: 185windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClientRect.USER32(?,?), ref: 00434BAE
                                                                                • FillRect.USER32(?,?,00000000), ref: 00434C0E
                                                                                • FillRect.USER32(?,?,00000000), ref: 00434C7E
                                                                                  • Part of subcall function 004780E1: __EH_prolog.LIBCMT ref: 004780E6
                                                                                  • Part of subcall function 004780E1: CreateSolidBrush.GDI32(?), ref: 00478103
                                                                                • FillRect.USER32(?,?,00000000), ref: 00434CF5
                                                                                • CreateCompatibleDC.GDI32(?), ref: 00434D1D
                                                                                • SelectObject.GDI32(00000000,?), ref: 00434D33
                                                                                • SetStretchBltMode.GDI32(?,00000000), ref: 00434D65
                                                                                • StretchBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00434D98
                                                                                • BitBlt.GDI32(?,00000000,?,?,?,00000000,00000000,00000000,00CC0020), ref: 00434DC3
                                                                                • SelectObject.GDI32(00000000,?), ref: 00434DCF
                                                                                • DeleteDC.GDI32(00000000), ref: 00434DDC
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Rect$Fill$CreateObjectSelectStretch$BrushClientCompatibleDeleteH_prologModeSolid
                                                                                • String ID:
                                                                                • API String ID: 1645634290-0
                                                                                • Opcode ID: 918914f4a2a41eaeef932567b55c75b2219924ff28361cd063a752b413d02dfd
                                                                                • Instruction ID: 8bfd07817f4fcb2bd9df710c80809587db0eb4168bbd05e9446e04647d6dc126
                                                                                • Opcode Fuzzy Hash: 918914f4a2a41eaeef932567b55c75b2219924ff28361cd063a752b413d02dfd
                                                                                • Instruction Fuzzy Hash: 3A611A752057019FD764DF61C994FABB3E8AB88704F009A1EF95A83380DB38F905CB29
                                                                                Function 0040CB80 Relevance: 16.7, APIs: 11, Instructions: 169windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Mode$ColorCurrentObject$FillPolyStretchText
                                                                                • String ID:
                                                                                • API String ID: 544274770-0
                                                                                • Opcode ID: 060a488ffee05343b83569cccd361ac8a96645330de28ab76d47bc019f3c6880
                                                                                • Instruction ID: f56b6998f22f5ff4a6008702b3646861877c2c4888b3fb6d4f5280ec4520e341
                                                                                • Opcode Fuzzy Hash: 060a488ffee05343b83569cccd361ac8a96645330de28ab76d47bc019f3c6880
                                                                                • Instruction Fuzzy Hash: 38516131214A01DBC364DB74D8C9BABB3A5EF84701F144B2DE56FA72A0DB38B845CB58
                                                                                Function 00432010 Relevance: 16.6, APIs: 11, Instructions: 149windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00477EE4: __EH_prolog.LIBCMT ref: 00477EE9
                                                                                  • Part of subcall function 00477EE4: BeginPaint.USER32(?,?,?,?,00407489), ref: 00477F12
                                                                                • GetClientRect.USER32(?,?), ref: 0043204D
                                                                                • CreateCompatibleBitmap.GDI32 ref: 00432082
                                                                                • CreateCompatibleDC.GDI32(?), ref: 004320B2
                                                                                  • Part of subcall function 00477625: SelectObject.GDI32(?,?), ref: 0047762D
                                                                                • PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 004320EA
                                                                                • GetObjectA.GDI32(00000000,00000018,?), ref: 00432105
                                                                                • CreateCompatibleDC.GDI32(?), ref: 00432110
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00432120
                                                                                • BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00432143
                                                                                • SelectObject.GDI32(00000000,?), ref: 0043214F
                                                                                • DeleteDC.GDI32(00000000), ref: 00432152
                                                                                • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0043217B
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Object$CompatibleCreateSelect$BeginBitmapClientDeleteH_prologPaintRect
                                                                                • String ID:
                                                                                • API String ID: 1593221388-0
                                                                                • Opcode ID: 88a8c695e7ba364bb4d8ee4c802b7b88cbcf5bde873c1c54ad3ae0717262bcef
                                                                                • Instruction ID: 78bb33abe2f6c9293a47632c75bcdce08ace21a08d97a7278a116a874ad7c2c7
                                                                                • Opcode Fuzzy Hash: 88a8c695e7ba364bb4d8ee4c802b7b88cbcf5bde873c1c54ad3ae0717262bcef
                                                                                • Instruction Fuzzy Hash: 9B514E71208345AFD350DF68DD45F6BBBE8FB89714F00892DB69983281D778A808CB66
                                                                                Function 0041D5F0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 368windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreatePopupMenu.USER32 ref: 0041D76E
                                                                                • AppendMenuA.USER32(?,?,00000000,?), ref: 0041D8D1
                                                                                • AppendMenuA.USER32(?,00000000,00000000,?), ref: 0041D909
                                                                                • ModifyMenuA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041D927
                                                                                • AppendMenuA.USER32(?,?,00000000,?), ref: 0041D985
                                                                                • ModifyMenuA.USER32(?,?,?,?,?), ref: 0041D9AA
                                                                                • AppendMenuA.USER32(?,?,?,?), ref: 0041D9F2
                                                                                • ModifyMenuA.USER32(?,?,?,?,?), ref: 0041DA17
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Menu$Append$Modify$CreatePopup
                                                                                • String ID: \VO
                                                                                • API String ID: 3846898120-2422581269
                                                                                • Opcode ID: 7adc28b1710fc8a41cc65e696f079b137ac368db9a8b6c4c09e73b26be4c3303
                                                                                • Instruction ID: 41b9f8ab24a1f392eb3dda8ba37b7d2696395050bfb9249bb3349a573394b85b
                                                                                • Opcode Fuzzy Hash: 7adc28b1710fc8a41cc65e696f079b137ac368db9a8b6c4c09e73b26be4c3303
                                                                                • Instruction Fuzzy Hash: 92D199B1A043019BC714DF18C884A6BB7F4FF89714F04492EF99A97391E738AD44CB9A
                                                                                Function 00465905 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00460DEB), ref: 00465920
                                                                                • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00460DEB), ref: 00465934
                                                                                • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00460DEB), ref: 00465960
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00460DEB), ref: 00465998
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00460DEB), ref: 004659BA
                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00460DEB), ref: 004659D3
                                                                                • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00460DEB), ref: 004659E6
                                                                                • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00465A24
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                                • String ID: F
                                                                                • API String ID: 1823725401-3458207348
                                                                                • Opcode ID: 0bb270311abff756e3bee65d0a6dbd03f9842bf6a0a19154c91c5b834a9108d2
                                                                                • Instruction ID: 77d6de0c89d948db18753960ef0f55bf6c037abe9dd07b781a319983c7c7fc0f
                                                                                • Opcode Fuzzy Hash: 0bb270311abff756e3bee65d0a6dbd03f9842bf6a0a19154c91c5b834a9108d2
                                                                                • Instruction Fuzzy Hash: 1831D2F2515A56AFDB213BB49CC483FB69CEA55328F15062FF552C3200F6294C8987AB
                                                                                Function 0046D1F2 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 50libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,00465FF0,?,Microsoft Visual C++ Runtime Library,00012010,?,004DE994,?,004DE9E4,?,?,?,Runtime Error!Program: ), ref: 0046D204
                                                                                • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0046D21C
                                                                                • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0046D22D
                                                                                • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0046D23A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoad
                                                                                • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll$M
                                                                                • API String ID: 2238633743-1262693084
                                                                                • Opcode ID: b74d608f8057330dc438e58ffe9b4d9f0261e5985188d5f3b3a8d8d494876750
                                                                                • Instruction ID: 1732e1eb935fbe2e12e7279d807f1155cc478f5e4e51eab879eeeee0c37bf787
                                                                                • Opcode Fuzzy Hash: b74d608f8057330dc438e58ffe9b4d9f0261e5985188d5f3b3a8d8d494876750
                                                                                • Instruction Fuzzy Hash: 0C01D831F053419F8723AFF59C9496B3AE9EB58741310447BE501D32A2E6BCC848AB16
                                                                                Function 0040C160 Relevance: 15.3, APIs: 10, Instructions: 316windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClientRect.USER32(?,?), ref: 0040C19F
                                                                                • CreateCompatibleBitmap.GDI32 ref: 0040C1FB
                                                                                • CreateCompatibleDC.GDI32(?), ref: 0040C22B
                                                                                • CreateRectRgn.GDI32(00000000,00000000,00000001,?), ref: 0040C2C0
                                                                                • SetRect.USER32(?,00000000,00000000,00000001,?), ref: 0040C2E9
                                                                                  • Part of subcall function 00408040: __ftol.LIBCMT ref: 00408165
                                                                                  • Part of subcall function 00408040: __ftol.LIBCMT ref: 00408172
                                                                                • FillRgn.GDI32(?,?,?), ref: 0040C366
                                                                                • PatBlt.GDI32(?,00000000,00000000,00000001,?,00F00021), ref: 0040C3D9
                                                                                  • Part of subcall function 00406250: GetSysColor.USER32(0000000F), ref: 0040625D
                                                                                  • Part of subcall function 004780E1: __EH_prolog.LIBCMT ref: 004780E6
                                                                                  • Part of subcall function 004780E1: CreateSolidBrush.GDI32(?), ref: 00478103
                                                                                • GetObjectA.GDI32(?,00000018,?), ref: 0040C455
                                                                                • CreateCompatibleDC.GDI32(?), ref: 0040C493
                                                                                • BitBlt.GDI32(?,00000000,00000000,00000001,?,?,00000000,00000000,00CC0020), ref: 0040C4F2
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Create$CompatibleRect$__ftol$BitmapBrushClientColorFillH_prologObjectSolid
                                                                                • String ID:
                                                                                • API String ID: 2289681609-0
                                                                                • Opcode ID: 0cf4d6650ae559a525979e121d651c54641c0ea3ce0c4c9238f69ea19614ac3c
                                                                                • Instruction ID: d9dc6bfa404ec283bb3f5efa404aa69a93ced87f6cc69ea1882fcf85c48e1e1b
                                                                                • Opcode Fuzzy Hash: 0cf4d6650ae559a525979e121d651c54641c0ea3ce0c4c9238f69ea19614ac3c
                                                                                • Instruction Fuzzy Hash: CFC18271108741DFD720DB65C885BAFB7E8AF94744F008A2EF58AD3291DB78E908CB56
                                                                                Function 0041CB70 Relevance: 15.3, APIs: 10, Instructions: 288COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateSolidBrush.GDI32(00FFFFFF), ref: 0041CCCF
                                                                                • GetWindowRect.USER32(?), ref: 0041CCF9
                                                                                • GetStockObject.GDI32(00000005), ref: 0041CD27
                                                                                • LoadCursorA.USER32(00000000,00007F00), ref: 0041CD35
                                                                                • GetWindowRect.USER32(?,?), ref: 0041CDA3
                                                                                • GetWindowRect.USER32(?,?), ref: 0041CDB4
                                                                                • GetWindowRect.USER32(?,?), ref: 0041CDC9
                                                                                • GetSystemMetrics.USER32(00000001), ref: 0041CDDF
                                                                                • GetWindowRect.USER32(?,?), ref: 0041CE6A
                                                                                • OffsetRect.USER32(?,00000000,00000001), ref: 0041CE84
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Rect$Window$BrushCreateCursorLoadMetricsObjectOffsetSolidStockSystem
                                                                                • String ID:
                                                                                • API String ID: 3805611468-0
                                                                                • Opcode ID: fb3d6a6c6288458d8244ab5b7a05636bbd2df6641ee68d291c6c617b6e4c8abc
                                                                                • Instruction ID: 803f87606d9fe9649e4c4e69c22c8766caa075d75a0e823ccc29d29396558258
                                                                                • Opcode Fuzzy Hash: fb3d6a6c6288458d8244ab5b7a05636bbd2df6641ee68d291c6c617b6e4c8abc
                                                                                • Instruction Fuzzy Hash: BAA1A370644701AFD714DF65CC86FABB7E5AB84708F00891EF15A8B381EBB8E845CB59
                                                                                Function 0040BD50 Relevance: 15.2, APIs: 10, Instructions: 198windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00477EE4: __EH_prolog.LIBCMT ref: 00477EE9
                                                                                  • Part of subcall function 00477EE4: BeginPaint.USER32(?,?,?,?,00407489), ref: 00477F12
                                                                                  • Part of subcall function 00477A95: GetClipBox.GDI32(?,?), ref: 00477A9C
                                                                                • GetClientRect.USER32(?,?), ref: 0040BD9E
                                                                                • IntersectRect.USER32(?,?,?), ref: 0040BDB6
                                                                                • IsRectEmpty.USER32(?), ref: 0040BDE6
                                                                                • GetObjectA.GDI32(?,00000018,?), ref: 0040BE1D
                                                                                • CreateCompatibleDC.GDI32(?), ref: 0040BE43
                                                                                • IntersectRect.USER32(?,?,?), ref: 0040BE98
                                                                                • IsRectEmpty.USER32(?), ref: 0040BEA3
                                                                                • BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 0040BEE1
                                                                                • DPtoLP.GDI32(?,?,00000002), ref: 0040BF66
                                                                                • IsWindow.USER32(?), ref: 0040BFC8
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Rect$EmptyIntersect$BeginClientClipCompatibleCreateH_prologObjectPaintWindow
                                                                                • String ID:
                                                                                • API String ID: 29348440-0
                                                                                • Opcode ID: e5685499fd7be07a9382c211cbe279cdece9712ed44dc58c37c8789e33f450ae
                                                                                • Instruction ID: cf43214bafb45d94c1aa6ea71f1c1c29fba0dc3f46401f9cd21b41b1fd4eae19
                                                                                • Opcode Fuzzy Hash: e5685499fd7be07a9382c211cbe279cdece9712ed44dc58c37c8789e33f450ae
                                                                                • Instruction Fuzzy Hash: DE811BB15087459FC324DF65C984AABB7E9FBC8704F008E2EF5AA93250D734E909CB56
                                                                                Function 0041B420 Relevance: 15.2, APIs: 10, Instructions: 179COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowRect.USER32(?,?), ref: 0041B43D
                                                                                • GetWindowRect.USER32(?,?), ref: 0041B44C
                                                                                • IntersectRect.USER32(?,?,?), ref: 0041B4A5
                                                                                • EqualRect.USER32(?,?), ref: 0041B4D5
                                                                                • GetWindowRect.USER32(?,?), ref: 0041B4F3
                                                                                • OffsetRect.USER32(?,?,?), ref: 0041B56A
                                                                                • OffsetRect.USER32(?,?,00000000), ref: 0041B584
                                                                                • OffsetRect.USER32(?,?,00000000), ref: 0041B59C
                                                                                • OffsetRect.USER32(?,00000000,?), ref: 0041B5B6
                                                                                • OffsetRect.USER32(?,00000000,?), ref: 0041B5CE
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Rect$Offset$Window$EqualIntersect
                                                                                • String ID:
                                                                                • API String ID: 2638238157-0
                                                                                • Opcode ID: b38d366e6dc3e0b5e9b345bb912f878da2ef6194c70035683dc9467c9e11fd05
                                                                                • Instruction ID: 760dd8cc131c464b768c9a8ae481bc2979dfdb08d40de6f5a4564263118fbbad
                                                                                • Opcode Fuzzy Hash: b38d366e6dc3e0b5e9b345bb912f878da2ef6194c70035683dc9467c9e11fd05
                                                                                • Instruction Fuzzy Hash: E751FB71618305AFC708CF29C98096BB7EAEBC8748F404A2EF985D3354D774ED458B92
                                                                                Function 00432AA0 Relevance: 15.1, APIs: 10, Instructions: 86COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemMetrics.USER32(0000002E), ref: 00432AB1
                                                                                • GetSystemMetrics.USER32(0000002D), ref: 00432AB7
                                                                                • GetSystemMetrics.USER32(0000000A), ref: 00432ABD
                                                                                • GetSystemMetrics.USER32(0000000A), ref: 00432AC8
                                                                                • GetSystemMetrics.USER32(00000009), ref: 00432AD6
                                                                                • GetSystemMetrics.USER32(00000009), ref: 00432AE2
                                                                                • GetWindowRect.USER32(?,?), ref: 00432B07
                                                                                • GetParent.USER32(?), ref: 00432B0D
                                                                                • GetWindowRect.USER32(?,00000000), ref: 00432B32
                                                                                • SetRect.USER32(?,?,00000000,?,?), ref: 00432B64
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MetricsSystem$Rect$Window$Parent
                                                                                • String ID:
                                                                                • API String ID: 3457858938-0
                                                                                • Opcode ID: 9d29aca0cbf1ed0b7cfb3df4bf34e3f24dc60c30c11b750d1ee14dc00aa7f24d
                                                                                • Instruction ID: 29d3d84f2ecd3a8ad3efdd76a75e3d8ef39b1c8232df174fe1973e8c6299897d
                                                                                • Opcode Fuzzy Hash: 9d29aca0cbf1ed0b7cfb3df4bf34e3f24dc60c30c11b750d1ee14dc00aa7f24d
                                                                                • Instruction Fuzzy Hash: 34218071A043056FC704EF68DD5496F77A9EBC8700F00492EB905D7280DBB4E8098BA6
                                                                                Function 004418B0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 260windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClientRect.USER32(?,?), ref: 004418DD
                                                                                • GetParent.USER32(?), ref: 004418E9
                                                                                • GetClientRect.USER32(?,?), ref: 004418FA
                                                                                  • Part of subcall function 00477C26: ClientToScreen.USER32(00406A88,?), ref: 00477C3A
                                                                                  • Part of subcall function 00477C26: ClientToScreen.USER32(00406A88,?), ref: 00477C43
                                                                                • GetParent.USER32(?), ref: 0044190C
                                                                                  • Part of subcall function 00477BEA: ScreenToClient.USER32(?,00000000), ref: 00477BFE
                                                                                  • Part of subcall function 00477BEA: ScreenToClient.USER32(?,00000008), ref: 00477C07
                                                                                  • Part of subcall function 00477D7C: __EH_prolog.LIBCMT ref: 00477D81
                                                                                  • Part of subcall function 00477D7C: GetDC.USER32(00000000), ref: 00477DAA
                                                                                • SendMessageA.USER32 ref: 0044193F
                                                                                  • Part of subcall function 00477678: SelectObject.GDI32(?,00000000), ref: 0047769A
                                                                                  • Part of subcall function 00477678: SelectObject.GDI32(?,?), ref: 004776B0
                                                                                • GetTextExtentPoint32A.GDI32(?,004F3148,00000001,?), ref: 0044196C
                                                                                • EqualRect.USER32(?,?), ref: 00441B2A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Client$Screen$Rect$ObjectParentSelect$EqualExtentH_prologMessagePoint32SendText
                                                                                • String ID: \VO
                                                                                • API String ID: 98060165-2422581269
                                                                                • Opcode ID: 9232f7fdc10d9f3cbcba3a39adae1181087138357b70c91d8f2144c0fc5dac1a
                                                                                • Instruction ID: 0a689c952e120c5e5f034a0976c3542a09c42ed92759d1887ccdf6d6dcbb7ad4
                                                                                • Opcode Fuzzy Hash: 9232f7fdc10d9f3cbcba3a39adae1181087138357b70c91d8f2144c0fc5dac1a
                                                                                • Instruction Fuzzy Hash: 1E91A1712083419FD718CF29C981A6BB7E5EBC8704F108A2EF586D3361D778E949CB5A
                                                                                Function 00465ECC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100fileCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 00465F39
                                                                                • GetStdHandle.KERNEL32(000000F4,004DE994,00000000,00000000,00000000,?), ref: 0046600F
                                                                                • WriteFile.KERNEL32(00000000), ref: 00466016
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$HandleModuleNameWrite
                                                                                • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $hjO
                                                                                • API String ID: 3784150691-4007570488
                                                                                • Opcode ID: 015ef7d03db599dd83144b082588e9cb5e0da7faf4dd95da55a30e064c1a791a
                                                                                • Instruction ID: d1721224242d0791b5ccfd7e497cebd5367fbc419222c99c78898237f8552075
                                                                                • Opcode Fuzzy Hash: 015ef7d03db599dd83144b082588e9cb5e0da7faf4dd95da55a30e064c1a791a
                                                                                • Instruction Fuzzy Hash: 2931D572A01218AFDF20EB61CC46FAE736CEB45314F5005ABF544E6140FAB9DA858B5F
                                                                                Function 0047728A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetStockObject.GDI32(00000011), ref: 004772A6
                                                                                • GetStockObject.GDI32(0000000D), ref: 004772AE
                                                                                • GetObjectA.GDI32(00000000,0000003C,?), ref: 004772BB
                                                                                • GetDC.USER32(00000000), ref: 004772CA
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004772E1
                                                                                • MulDiv.KERNEL32(?,00000048,00000000), ref: 004772ED
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 004772F8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Object$Stock$CapsDeviceRelease
                                                                                • String ID: System
                                                                                • API String ID: 46613423-3470857405
                                                                                • Opcode ID: 149c52793a063d85d281444012ef68c30f6264c7b16a6ba80e424fbf49e69a92
                                                                                • Instruction ID: ec98fbbbb0dfed13fdc92685394b9affedb8c907199883e60f7ad9283d9da613
                                                                                • Opcode Fuzzy Hash: 149c52793a063d85d281444012ef68c30f6264c7b16a6ba80e424fbf49e69a92
                                                                                • Instruction Fuzzy Hash: 1911C631A40308BBEB009BA1DC05FEE3BB8EB05740F50802AFA05E62C1D7749D05C7A8
                                                                                Function 004751C0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,004754BA,?,00020000), ref: 004751C9
                                                                                • LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 004751D2
                                                                                • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004751E6
                                                                                • #17.COMCTL32 ref: 00475201
                                                                                • #17.COMCTL32 ref: 0047521D
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00475229
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Library$AddressFreeHandleLoadModuleProc
                                                                                • String ID: COMCTL32.DLL$InitCommonControlsEx
                                                                                • API String ID: 1437655972-4218389149
                                                                                • Opcode ID: 2b73516f9e04ee7b4116f50fc91c6c333e4e1d95da40135abc86590f7ad113a0
                                                                                • Instruction ID: 4c93ed9099af66e705174bc364a963ca8e4e62f59a7bc6e128bb3eb90552106f
                                                                                • Opcode Fuzzy Hash: 2b73516f9e04ee7b4116f50fc91c6c333e4e1d95da40135abc86590f7ad113a0
                                                                                • Instruction Fuzzy Hash: 7DF02836B10B124B97515FA4BD48A4F72A8AFD47627064C7AFC08E3300CFA8CC094B6E
                                                                                Function 0046DA32 Relevance: 13.7, APIs: 9, Instructions: 221COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CompareStringW.KERNEL32(00000000,00000000,004DEC1C,00000001,004DEC1C,00000001,00000000,009911EC,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,00461473), ref: 0046DA70
                                                                                • CompareStringA.KERNEL32(00000000,00000000,004DEC18,00000001,004DEC18,00000001), ref: 0046DA8D
                                                                                • CompareStringA.KERNEL32(00450EB6,00000000,00000000,00000000,00461473,00000000,00000000,009911EC,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,00461473), ref: 0046DAEB
                                                                                • GetCPInfo.KERNEL32(00000000,00000000,00000000,009911EC,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,00461473,00000000), ref: 0046DB3C
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000), ref: 0046DBBB
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 0046DC1C
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000), ref: 0046DC2F
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0046DC7B
                                                                                • CompareStringW.KERNEL32(00450EB6,00000000,00000000,00000000,?,00000000,?,00000000), ref: 0046DC93
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharCompareMultiStringWide$Info
                                                                                • String ID:
                                                                                • API String ID: 1651298574-0
                                                                                • Opcode ID: 42812d67ef1b10b62b122f887d1dd52ab6adfdf2ce626779a95d8a6719fc57d0
                                                                                • Instruction ID: cb9aa4ba0de53d452a5d6d931f9f0216e6e5d7b90683e57ae25ae3208a61256b
                                                                                • Opcode Fuzzy Hash: 42812d67ef1b10b62b122f887d1dd52ab6adfdf2ce626779a95d8a6719fc57d0
                                                                                • Instruction Fuzzy Hash: 2471DE32E04249AFCF219F94CC859EF7BBAFB05710F11412BF911A6224E3399C51DB9A
                                                                                Function 004297A0 Relevance: 13.7, APIs: 9, Instructions: 186COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CopyRect.USER32(?,00000000), ref: 00429817
                                                                                • IsRectEmpty.USER32(?), ref: 00429822
                                                                                • GetClientRect.USER32(00000000,?), ref: 00429861
                                                                                • DPtoLP.GDI32(?,?,00000002), ref: 00429873
                                                                                • LPtoDP.GDI32(?,?,00000002), ref: 004298B0
                                                                                • CreateRectRgnIndirect.GDI32(?), ref: 004298C8
                                                                                • OffsetRect.USER32(?,?,?), ref: 004298ED
                                                                                • LPtoDP.GDI32(?,?,00000002), ref: 004298FF
                                                                                  • Part of subcall function 00478091: __EH_prolog.LIBCMT ref: 00478096
                                                                                  • Part of subcall function 00478091: CreatePen.GDI32(?,?,?), ref: 004780B9
                                                                                  • Part of subcall function 00477678: SelectObject.GDI32(?,00000000), ref: 0047769A
                                                                                  • Part of subcall function 00477678: SelectObject.GDI32(?,?), ref: 004776B0
                                                                                  • Part of subcall function 0047763C: GetStockObject.GDI32(?), ref: 00477645
                                                                                  • Part of subcall function 0047763C: SelectObject.GDI32(?,00000000), ref: 0047765F
                                                                                  • Part of subcall function 0047763C: SelectObject.GDI32(?,00000000), ref: 0047766A
                                                                                  • Part of subcall function 004777B0: SetROP2.GDI32(?,?), ref: 004777C9
                                                                                  • Part of subcall function 004777B0: SetROP2.GDI32(?,?), ref: 004777D7
                                                                                • Rectangle.GDI32(?,?,?,?,?), ref: 00429973
                                                                                  • Part of subcall function 00477AA5: SelectClipRgn.GDI32(?,00000000), ref: 00477AC7
                                                                                  • Part of subcall function 00477AA5: SelectClipRgn.GDI32(?,?), ref: 00477ADD
                                                                                  • Part of subcall function 0047807B: DeleteObject.GDI32(00000000), ref: 0047808A
                                                                                  • Part of subcall function 00477DEE: __EH_prolog.LIBCMT ref: 00477DF3
                                                                                  • Part of subcall function 00477DEE: ReleaseDC.USER32(?,00000000), ref: 00477E12
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ObjectSelect$Rect$ClipCreateH_prolog$ClientCopyDeleteEmptyIndirectOffsetRectangleReleaseStock
                                                                                • String ID:
                                                                                • API String ID: 2841338838-0
                                                                                • Opcode ID: caa191a6e2f65a09d863d2b014c6b394f877e05d945b05c44e1edf77ed6aaf19
                                                                                • Instruction ID: 00d4ae316839440419f5d556b773976aee0350f1fdff004517802abbc70b1bd1
                                                                                • Opcode Fuzzy Hash: caa191a6e2f65a09d863d2b014c6b394f877e05d945b05c44e1edf77ed6aaf19
                                                                                • Instruction Fuzzy Hash: CE615CB12087409FC314DF69D885E6BB7E9EFC8714F408A1DF59683291DB78E908CB56
                                                                                Function 0041B1B0 Relevance: 13.6, APIs: 9, Instructions: 118COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCapture.USER32 ref: 0041B1B6
                                                                                • ClientToScreen.USER32(?,?), ref: 0041B1F3
                                                                                • OffsetRect.USER32(?,?,?), ref: 0041B21C
                                                                                • GetParent.USER32(?), ref: 0041B222
                                                                                  • Part of subcall function 00477BEA: ScreenToClient.USER32(?,00000000), ref: 00477BFE
                                                                                  • Part of subcall function 00477BEA: ScreenToClient.USER32(?,00000008), ref: 00477C07
                                                                                • GetClientRect.USER32(?,?), ref: 0041B245
                                                                                • OffsetRect.USER32(?,?,00000000), ref: 0041B263
                                                                                • OffsetRect.USER32(?,?,00000000), ref: 0041B27B
                                                                                • OffsetRect.USER32(?,00000000,?), ref: 0041B299
                                                                                • OffsetRect.USER32(?,00000000,?), ref: 0041B2B9
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Rect$Offset$Client$Screen$CaptureParent
                                                                                • String ID:
                                                                                • API String ID: 838496554-0
                                                                                • Opcode ID: b965dbb02c2fab110b49e3b4d55f999033a59b1a8a5cb64f0fd5743cfd8e9580
                                                                                • Instruction ID: f689bbbc356db07a37580ec23b9f2faee7da150ed85637c8f0b21fbf8769c6c7
                                                                                • Opcode Fuzzy Hash: b965dbb02c2fab110b49e3b4d55f999033a59b1a8a5cb64f0fd5743cfd8e9580
                                                                                • Instruction Fuzzy Hash: 6A41E6B5608301AFD718DF69D984D6FB7E9EBC8704F008A1DF985C3251DB74ED088A66
                                                                                Function 0046F762 Relevance: 13.6, APIs: 9, Instructions: 80windowstringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrlenA.KERNEL32(?,?,?,0000000C,?,?,0041CFF9,?,-00000001,00000000,?,?,?,004F0BD0), ref: 0046F76C
                                                                                • GetFocus.USER32 ref: 0046F787
                                                                                  • Part of subcall function 00473302: UnhookWindowsHookEx.USER32(?), ref: 00473327
                                                                                • IsWindowEnabled.USER32(?), ref: 0046F7B0
                                                                                • EnableWindow.USER32(?,00000000), ref: 0046F7C2
                                                                                • GetOpenFileNameA.COMDLG32(?,?), ref: 0046F7ED
                                                                                • GetSaveFileNameA.COMDLG32(?,?), ref: 0046F7F4
                                                                                • EnableWindow.USER32(?,00000001), ref: 0046F80B
                                                                                • IsWindow.USER32(?), ref: 0046F811
                                                                                • SetFocus.USER32(?), ref: 0046F81F
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$EnableFileFocusName$EnabledHookOpenSaveUnhookWindowslstrlen
                                                                                • String ID:
                                                                                • API String ID: 3606897497-0
                                                                                • Opcode ID: 9f4b2208ab47776abf46190277f33575929c5c714d77e0e5705eaadd543611ad
                                                                                • Instruction ID: e352f8723ed710469a16f3f914ab69a754027901470806fa17429ddc2a37921e
                                                                                • Opcode Fuzzy Hash: 9f4b2208ab47776abf46190277f33575929c5c714d77e0e5705eaadd543611ad
                                                                                • Instruction Fuzzy Hash: 03218371210701AFD720AF72EC46B5B77D4EF40715F10483FF59186291EB79E849876A
                                                                                Function 0041F1F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 170COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetRect.USER32(?,00000000,00000032,00000032,?), ref: 0041F2D9
                                                                                • OffsetRect.USER32(?,?,?), ref: 0041F2E6
                                                                                • IntersectRect.USER32(?,?,?), ref: 0041F302
                                                                                • IsRectEmpty.USER32(?), ref: 0041F30D
                                                                                • OffsetRect.USER32(?,?,?), ref: 0041F34A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Rect$Offset$EmptyIntersect
                                                                                • String ID: 2$`\A
                                                                                • API String ID: 765610062-1838255340
                                                                                • Opcode ID: bebef98721c078bd29f00fc75aaf2cee393377a285fa85bc06280d49842dbd68
                                                                                • Instruction ID: 93bdd1f3402a99630ecb035814579fbbec8ebc132cc835ca143157f893fb6f70
                                                                                • Opcode Fuzzy Hash: bebef98721c078bd29f00fc75aaf2cee393377a285fa85bc06280d49842dbd68
                                                                                • Instruction Fuzzy Hash: 366116752083419FC714CF69C8849ABBBE9FBC8314F148A2EF99987310D734E94ACB56
                                                                                Function 0046C9C0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetStringTypeW.KERNEL32(00000001,004DEC1C,00000001,?,7622E860,0051AD08,?,?,004629ED,?,?,?,00000000,00000001), ref: 0046C9FF
                                                                                • GetStringTypeA.KERNEL32(00000000,00000001,004DEC18,00000001,?,?,004629ED,?,?,?,00000000,00000001), ref: 0046CA19
                                                                                • GetStringTypeA.KERNEL32(?,?,?,?,)F,7622E860,0051AD08,?,?,004629ED,?,?,?,00000000,00000001), ref: 0046CA4D
                                                                                • MultiByteToWideChar.KERNEL32(?,0051AD09,?,?,00000000,00000000,7622E860,0051AD08,?,?,004629ED,?,?,?,00000000,00000001), ref: 0046CA85
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,004629ED,?), ref: 0046CADB
                                                                                • GetStringTypeW.KERNEL32(?,?,00000000,)F,?,?,?,?,?,?,004629ED,?), ref: 0046CAED
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: StringType$ByteCharMultiWide
                                                                                • String ID: )F
                                                                                • API String ID: 3852931651-1070133202
                                                                                • Opcode ID: a542520c38bd21c8488bf1e4737d8855976a3bab91e72be1a03ad7e195084f87
                                                                                • Instruction ID: a40e318d064908d24936ccf6da067316cf119d6ee3c494caa51772306089cb6e
                                                                                • Opcode Fuzzy Hash: a542520c38bd21c8488bf1e4737d8855976a3bab91e72be1a03ad7e195084f87
                                                                                • Instruction Fuzzy Hash: CC416B72600219AFCF21DF94CC85EFF7BB8EB18750F20442AF911E6250E3798954DBA6
                                                                                Function 004244D0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: accept
                                                                                • String ID: %s:%d$P
                                                                                • API String ID: 3005279540-612342447
                                                                                • Opcode ID: 2142da63f02e74cbc3eecde08b87ef40ee9343fa0b223d14839971f07546babd
                                                                                • Instruction ID: d369be08a7afa1e247dea82d04a2a3b3b225294ab7dccc7a5d725fc1e84763a6
                                                                                • Opcode Fuzzy Hash: 2142da63f02e74cbc3eecde08b87ef40ee9343fa0b223d14839971f07546babd
                                                                                • Instruction Fuzzy Hash: 7F319571214A015FE310EB68EC98DBF73E8FFD0325F404B2EF591922D0E67499198B65
                                                                                Function 0045D880 Relevance: 12.3, APIs: 8, Instructions: 306COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __ftol
                                                                                • String ID:
                                                                                • API String ID: 495808979-0
                                                                                • Opcode ID: a326dffd14074a7c44b8695449b7337403b16a9057f3b478ccea4b676442838b
                                                                                • Instruction ID: d66bac2e501cad5e88b8036816d486774d2a7132a89948915131701c3a20a8f2
                                                                                • Opcode Fuzzy Hash: a326dffd14074a7c44b8695449b7337403b16a9057f3b478ccea4b676442838b
                                                                                • Instruction Fuzzy Hash: BFD133B2909342DFD301AF21D08925ABFF0FFD5744FA60999E0D56626AE3318578CF86
                                                                                Function 0041A210 Relevance: 12.2, APIs: 8, Instructions: 181windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00477EE4: __EH_prolog.LIBCMT ref: 00477EE9
                                                                                  • Part of subcall function 00477EE4: BeginPaint.USER32(?,?,?,?,00407489), ref: 00477F12
                                                                                  • Part of subcall function 00477A95: GetClipBox.GDI32(?,?), ref: 00477A9C
                                                                                • IsRectEmpty.USER32(?), ref: 0041A25D
                                                                                • GetSysColor.USER32(0000000F), ref: 0041A26E
                                                                                  • Part of subcall function 004780E1: __EH_prolog.LIBCMT ref: 004780E6
                                                                                  • Part of subcall function 004780E1: CreateSolidBrush.GDI32(?), ref: 00478103
                                                                                  • Part of subcall function 00477678: SelectObject.GDI32(?,00000000), ref: 0047769A
                                                                                  • Part of subcall function 00477678: SelectObject.GDI32(?,?), ref: 004776B0
                                                                                • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0041A2B8
                                                                                • GetClientRect.USER32(?,?), ref: 0041A2D1
                                                                                • LoadBitmapA.USER32(?,?), ref: 0041A308
                                                                                • GetObjectA.GDI32(?,00000018,?), ref: 0041A357
                                                                                • CreateCompatibleDC.GDI32(?), ref: 0041A37D
                                                                                • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 0041A40F
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Object$CreateH_prologRectSelect$BeginBitmapBrushClientClipColorCompatibleEmptyLoadPaintSolid
                                                                                • String ID:
                                                                                • API String ID: 1390316934-0
                                                                                • Opcode ID: 4830e2f34cdc7cb464f192dd3328f15af2377adb3faa96b445f29857e5b436ad
                                                                                • Instruction ID: da5c8dc3e7b0601298c1433b8a577d220f0771ad75de7036a1bb814524562355
                                                                                • Opcode Fuzzy Hash: 4830e2f34cdc7cb464f192dd3328f15af2377adb3faa96b445f29857e5b436ad
                                                                                • Instruction Fuzzy Hash: 65615B711183819FD324DB68C955FABBBE8FBC4714F048A1DF19993281DB78A908CB62
                                                                                Function 00440340 Relevance: 12.2, APIs: 8, Instructions: 162COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDeviceCaps.GDI32(?,00000058), ref: 00440358
                                                                                • GetDeviceCaps.GDI32(?,0000005A), ref: 00440361
                                                                                • GetDeviceCaps.GDI32(?,0000006E), ref: 00440372
                                                                                • GetDeviceCaps.GDI32(?,0000006F), ref: 0044038F
                                                                                • GetDeviceCaps.GDI32(?,00000070), ref: 004403A4
                                                                                • GetDeviceCaps.GDI32(?,00000071), ref: 004403B9
                                                                                • GetDeviceCaps.GDI32(?,00000008), ref: 004403CE
                                                                                • GetDeviceCaps.GDI32(?,0000000A), ref: 004403E3
                                                                                  • Part of subcall function 00440120: __ftol.LIBCMT ref: 00440125
                                                                                  • Part of subcall function 00440150: __ftol.LIBCMT ref: 00440155
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CapsDevice$__ftol
                                                                                • String ID:
                                                                                • API String ID: 1555043975-0
                                                                                • Opcode ID: 8398ba199c19d7dbc35e52de12665e09218da8f6fe5ba84e857d295fa2477440
                                                                                • Instruction ID: 637e0369b480934b6af01a5e202d36a4ecde455befc9a505ff508b8832f9b0ab
                                                                                • Opcode Fuzzy Hash: 8398ba199c19d7dbc35e52de12665e09218da8f6fe5ba84e857d295fa2477440
                                                                                • Instruction Fuzzy Hash: E9514571508704AFE300EF6ACC85A6FBBE4FFC9704F01495DF6949A290DB72D9248B96
                                                                                Function 00431F30 Relevance: 12.1, APIs: 8, Instructions: 77COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ReleaseCapture.USER32 ref: 00432001
                                                                                  • Part of subcall function 004757AE: IsWindowEnabled.USER32(?), ref: 004757B8
                                                                                • GetClientRect.USER32(?,?), ref: 00431F57
                                                                                • PtInRect.USER32(?,?,?), ref: 00431F6C
                                                                                • ClientToScreen.USER32(?,?), ref: 00431F7D
                                                                                • WindowFromPoint.USER32(?,?), ref: 00431F8D
                                                                                • ReleaseCapture.USER32 ref: 00431FA7
                                                                                • GetCapture.USER32 ref: 00431FC1
                                                                                • SetCapture.USER32(?), ref: 00431FCC
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Capture$ClientRectReleaseWindow$EnabledFromPointScreen
                                                                                • String ID:
                                                                                • API String ID: 3076215760-0
                                                                                • Opcode ID: 7e9896b394843612b1968a0b7f4d3827953597b8dd302301f63c9e221ebc70f0
                                                                                • Instruction ID: dc0a319ab2e6945f2799512b4cbe48e619e58efb27e3d34379d4af36321b770c
                                                                                • Opcode Fuzzy Hash: 7e9896b394843612b1968a0b7f4d3827953597b8dd302301f63c9e221ebc70f0
                                                                                • Instruction Fuzzy Hash: 8721C8362006009BD354EB19DD49E7FB3A4AFC8718F04891EF98582251E779D9098B69
                                                                                Function 00475BBA Relevance: 12.1, APIs: 8, Instructions: 65memorystringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GlobalLock.KERNEL32(?), ref: 00475BDA
                                                                                • lstrcmpA.KERNEL32(?,?), ref: 00475BE6
                                                                                • OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 00475BF8
                                                                                • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00475C1B
                                                                                • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00475C23
                                                                                • GlobalLock.KERNEL32(00000000), ref: 00475C30
                                                                                • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 00475C3D
                                                                                • ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 00475C5B
                                                                                  • Part of subcall function 00478A43: GlobalFlags.KERNEL32(?), ref: 00478A4D
                                                                                  • Part of subcall function 00478A43: GlobalUnlock.KERNEL32(?), ref: 00478A64
                                                                                  • Part of subcall function 00478A43: GlobalFree.KERNEL32(?), ref: 00478A6F
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
                                                                                • String ID:
                                                                                • API String ID: 168474834-0
                                                                                • Opcode ID: 614a3771396ca027813b1ada3edd4e39c187baaea604c8f59b4880b3471a74f5
                                                                                • Instruction ID: 147156600c64acad9190a60fb3f4e236369b3fe309035edf499b2925844bf02d
                                                                                • Opcode Fuzzy Hash: 614a3771396ca027813b1ada3edd4e39c187baaea604c8f59b4880b3471a74f5
                                                                                • Instruction Fuzzy Hash: 63110A72500204BEEB225B76CC4EEAF7ABDEF84740F00442EFA0CD5122D679CE449764
                                                                                Function 00409F00 Relevance: 12.1, APIs: 8, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClientRect.USER32(?,?), ref: 00409F1C
                                                                                • PtInRect.USER32(?,?,?), ref: 00409F31
                                                                                • ReleaseCapture.USER32 ref: 00409F41
                                                                                • InvalidateRect.USER32(?,00000000,00000000), ref: 00409F4F
                                                                                • GetCapture.USER32 ref: 00409F5F
                                                                                • SetCapture.USER32(?), ref: 00409F6A
                                                                                • InvalidateRect.USER32(?,00000000,00000000), ref: 00409F8B
                                                                                • SetCapture.USER32(?), ref: 00409F95
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CaptureRect$Invalidate$ClientRelease
                                                                                • String ID:
                                                                                • API String ID: 3559558096-0
                                                                                • Opcode ID: 6af7c6e2e8e9f1cf88adfb5836a79072d1160a7217a5140ed7a157fc157bc9c2
                                                                                • Instruction ID: 516b7efc7bc45a93edc4f1acf5a4a97732390063b087b06aadc7179c5d672c83
                                                                                • Opcode Fuzzy Hash: 6af7c6e2e8e9f1cf88adfb5836a79072d1160a7217a5140ed7a157fc157bc9c2
                                                                                • Instruction Fuzzy Hash: 5C115E725507119FD3A0AB74DC48F9B77A8BF84B04F008D2EF686D3251D735E8088B58
                                                                                Function 004130C0 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 359COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf
                                                                                • String ID: `\A
                                                                                • API String ID: 2111968516-2688774508
                                                                                • Opcode ID: 1ee4e53543f775949fd2a4fdfc21ef5bb4f43ddb9cea6d4271e965e6cc315ff9
                                                                                • Instruction ID: 2feeacdd23fd66dcc309e48e132a7301f69564b4ff9871eb4d32aea763b38161
                                                                                • Opcode Fuzzy Hash: 1ee4e53543f775949fd2a4fdfc21ef5bb4f43ddb9cea6d4271e965e6cc315ff9
                                                                                • Instruction Fuzzy Hash: BFC182B1604201AFC311DF24C881DABB7F8EF99359F14492EF84697352E738EA458B96
                                                                                Function 0040E0C0 Relevance: 10.8, APIs: 7, Instructions: 268windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindow.USER32(?), ref: 0040E0FD
                                                                                • GetParent.USER32(?), ref: 0040E10F
                                                                                • SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 0040E137
                                                                                • GetWindowRect.USER32(?,?), ref: 0040E1C1
                                                                                • InvalidateRect.USER32(?,?,00000001,?), ref: 0040E1E4
                                                                                • GetWindowRect.USER32(?,?), ref: 0040E3AC
                                                                                • InvalidateRect.USER32(?,?,00000001,?), ref: 0040E3CD
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Rect$Window$Invalidate$MessageParentSend
                                                                                • String ID:
                                                                                • API String ID: 236041146-0
                                                                                • Opcode ID: 43c05b95eb46b15a430d16c57c654c819bb8eac372cd35a1bc0d2d0177836efd
                                                                                • Instruction ID: 70010f276b0e887eca2c70af41afaca73210653075d065733503dbcd81dc86ae
                                                                                • Opcode Fuzzy Hash: 43c05b95eb46b15a430d16c57c654c819bb8eac372cd35a1bc0d2d0177836efd
                                                                                • Instruction Fuzzy Hash: DC91C1716043059BC724EF26C841F6B77E8AF84718F05092EFD45AB3C2EB78E9158B99
                                                                                Function 00418EE0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 196windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindow.USER32(?), ref: 00418FBC
                                                                                • SendMessageA.USER32(?,00008003,00000000,00000000), ref: 00418FD3
                                                                                • GetWindowRect.USER32(?,00000000), ref: 00419025
                                                                                • GetClientRect.USER32(?,00000000), ref: 0041907D
                                                                                • GetWindowRect.USER32(?,00000000), ref: 004190A1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: RectWindow$ClientMessageSend
                                                                                • String ID: `\A
                                                                                • API String ID: 1071774122-2688774508
                                                                                • Opcode ID: ef40a2772205d8e7eaddef1016916fdd3baee166a5687fcfa59401985cf78a8c
                                                                                • Instruction ID: bedbf196f3d918205e6dc890d020f63c6bdb76d8da2aa9b8b0d6ed37f319dbba
                                                                                • Opcode Fuzzy Hash: ef40a2772205d8e7eaddef1016916fdd3baee166a5687fcfa59401985cf78a8c
                                                                                • Instruction Fuzzy Hash: 8161A2716043019FC710DF25C894AAFBBE9EB88758F044A1EF98597381DA38ED45CB9A
                                                                                Function 00479ACE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(?,0000019F,00000000,00000000), ref: 00479AF2
                                                                                • GetParent.USER32(?), ref: 00479AF9
                                                                                  • Part of subcall function 00475650: GetWindowLongA.USER32(?,000000F0), ref: 0047565C
                                                                                • SendMessageA.USER32(?,00000187,00000000,00000000), ref: 00479B4C
                                                                                • SendMessageA.USER32(0000AC84,00000111,?,?), ref: 00479B9D
                                                                                • SendMessageA.USER32(?,00000185,00000000,00000000), ref: 00479C28
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend$LongParentWindow
                                                                                • String ID:
                                                                                • API String ID: 779260966-3916222277
                                                                                • Opcode ID: 162512ddf52b2d8149e98fb81116fe1752bc9684ec8ebd339e1184488911490a
                                                                                • Instruction ID: 338a8654d10beba46d9567e6a8d449294bb87e5d8f9a95ba3f87454236f9dc81
                                                                                • Opcode Fuzzy Hash: 162512ddf52b2d8149e98fb81116fe1752bc9684ec8ebd339e1184488911490a
                                                                                • Instruction Fuzzy Hash: 2931E9702147186FCE357A768C41DAF76DDEB84748B118D2FF54AC6281DA69EC02867C
                                                                                Function 00474FF5 Relevance: 10.6, APIs: 7, Instructions: 122windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetParent.USER32(?), ref: 00475029
                                                                                • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00475052
                                                                                • UpdateWindow.USER32(?), ref: 0047506E
                                                                                • SendMessageA.USER32(?,00000121,00000000,?), ref: 00475094
                                                                                • SendMessageA.USER32(?,0000036A,00000000,00000001), ref: 004750B3
                                                                                • UpdateWindow.USER32(?), ref: 004750F6
                                                                                • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00475129
                                                                                  • Part of subcall function 00475650: GetWindowLongA.USER32(?,000000F0), ref: 0047565C
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$Window$PeekSendUpdate$LongParent
                                                                                • String ID:
                                                                                • API String ID: 2853195852-0
                                                                                • Opcode ID: 7ce95249318132969f36d30b51cb4f0e1d81c5b3354556473b0bf40dad3bc79b
                                                                                • Instruction ID: 6b816d86cdd16ea2b03b84f516d5dd31e0ed865554088fdffa6929d89306dfa6
                                                                                • Opcode Fuzzy Hash: 7ce95249318132969f36d30b51cb4f0e1d81c5b3354556473b0bf40dad3bc79b
                                                                                • Instruction Fuzzy Hash: 1541C530604B819FD730DF259C48E9FBAE4EFC1B04F10891EF5898A251CBB9D945CB9A
                                                                                Function 0041B610 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf
                                                                                • String ID: - $ - [$%d / %d]$?? / %d]$\VO
                                                                                • API String ID: 2111968516-1963051370
                                                                                • Opcode ID: bc8311b896f07ec52dccd00fd9849e7cb164e431f183439c226d552b68b28405
                                                                                • Instruction ID: a1e8c6bfc7a438e738839362478429af709fd75956f218e17927240221d64be9
                                                                                • Opcode Fuzzy Hash: bc8311b896f07ec52dccd00fd9849e7cb164e431f183439c226d552b68b28405
                                                                                • Instruction Fuzzy Hash: 9D314D74204701AFC314DB29C991FEBB7E4EF94714F10C91EF49A872A1EB78A844CB96
                                                                                Function 0045E8C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,?,00000000), ref: 0045E94B
                                                                                • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 0045E96A
                                                                                • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 0045E981
                                                                                • GetTempPathA.KERNEL32(00000104,00000000), ref: 0045E998
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DirectoryPath$FolderSpecialSystemTempWindows
                                                                                • String ID: \$\
                                                                                • API String ID: 2721284240-164819647
                                                                                • Opcode ID: 4834cc78adc3c5f241aa8d25f5626aa0534c6b1b8ffe713f2601123c209684c9
                                                                                • Instruction ID: cc2a492bb6cc8eb54aa467ae7779567ffecaea68c8a07cf7c82251ffb48b28dc
                                                                                • Opcode Fuzzy Hash: 4834cc78adc3c5f241aa8d25f5626aa0534c6b1b8ffe713f2601123c209684c9
                                                                                • Instruction Fuzzy Hash: 0B3105F15183019BEBAC8627C84577F7690EB51712F144C2FE986C6282D2BCCA8C975B
                                                                                Function 0047981F Relevance: 10.6, APIs: 7, Instructions: 94windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0047AE3D: __EH_prolog.LIBCMT ref: 0047AE42
                                                                                  • Part of subcall function 00475650: GetWindowLongA.USER32(?,000000F0), ref: 0047565C
                                                                                • SendMessageA.USER32(?,000001A1,00000000,00000000), ref: 00479868
                                                                                • SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 00479877
                                                                                • SendMessageA.USER32(?,0000018E,00000000,00000000), ref: 00479890
                                                                                • SendMessageA.USER32(?,0000018E,00000000,00000000), ref: 004798B8
                                                                                • SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 004798C7
                                                                                • SendMessageA.USER32(?,00000198,?,?), ref: 004798DD
                                                                                • PtInRect.USER32(?,000000FF,?), ref: 004798E9
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend$H_prologLongRectWindow
                                                                                • String ID:
                                                                                • API String ID: 2846605207-0
                                                                                • Opcode ID: 2bd39d2c5f3ec6d9bb8cbf5bf0bd66aa2124f6a6b3463d4e701ae12013792b18
                                                                                • Instruction ID: d63d5e1490857601e22bfdde95a2a15f68158ab6853eac25c4717fe93cc63861
                                                                                • Opcode Fuzzy Hash: 2bd39d2c5f3ec6d9bb8cbf5bf0bd66aa2124f6a6b3463d4e701ae12013792b18
                                                                                • Instruction Fuzzy Hash: 88316AB0A0020CFFDB10DF98CC80DEEB7B9EF45318B11846AE516A72A1D774AE129F14
                                                                                Function 0045FD20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,00000000,?,0045F087,?,00000210), ref: 0045FD3F
                                                                                • WriteFile.KERNEL32(00000000,?,0000000E,?,00000000,?), ref: 0045FDA6
                                                                                • WriteFile.KERNEL32(00000000,?,?,0000000E,00000000,?), ref: 0045FDDC
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0045FDF1
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0045FE07
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseHandleWrite$Create
                                                                                • String ID: BM
                                                                                • API String ID: 2874586052-2348483157
                                                                                • Opcode ID: df60151c3438061c4b531414e37397bb17dcee89a719ea7e86594321528e7c34
                                                                                • Instruction ID: 84575d10aac4443774a38c1c55ded729eb01556e44bc9fcbb81f7091afca414c
                                                                                • Opcode Fuzzy Hash: df60151c3438061c4b531414e37397bb17dcee89a719ea7e86594321528e7c34
                                                                                • Instruction Fuzzy Hash: 6821BF322043059BD320DB66CC45A6BB7DCEFC5354F04492EF995872A2EA34E80C87AA
                                                                                Function 0046F83D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 0046F842
                                                                                • GetParent.USER32(?), ref: 0046F87F
                                                                                • SendMessageA.USER32(?,00000464,00000104,00000000), ref: 0046F8A7
                                                                                • GetParent.USER32(?), ref: 0046F8D0
                                                                                • SendMessageA.USER32(?,00000465,00000104,00000000), ref: 0046F8ED
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageParentSend$H_prolog
                                                                                • String ID: \VO
                                                                                • API String ID: 1056721960-2422581269
                                                                                • Opcode ID: f088b6cfc480e49edcbb0b2362e2cc04d86a4ce240b5345642c9888ee93bcca4
                                                                                • Instruction ID: 18468bb8ba120c13cb89bc39a23ed3a3ea1ade1c322a80c161b177aec39f29f4
                                                                                • Opcode Fuzzy Hash: f088b6cfc480e49edcbb0b2362e2cc04d86a4ce240b5345642c9888ee93bcca4
                                                                                • Instruction Fuzzy Hash: 8A314370900216ABDB14EBA5DC55EEEB774FF10328F10852EF425A71E1EB389909CB59
                                                                                Function 0047BB16 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000), ref: 0047BB44
                                                                                • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 0047BB67
                                                                                • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 0047BB86
                                                                                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0047BB96
                                                                                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0047BBA0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreate$Open
                                                                                • String ID: software
                                                                                • API String ID: 1740278721-2010147023
                                                                                • Opcode ID: c25f4e89f3030bb1be845e48a609b697115ee6d8fbb6b6528055e0ea53569078
                                                                                • Instruction ID: c5fae3ce8684c3541d7db562a1300cd6bf032ff265fcf64221e4ca920f74098d
                                                                                • Opcode Fuzzy Hash: c25f4e89f3030bb1be845e48a609b697115ee6d8fbb6b6528055e0ea53569078
                                                                                • Instruction Fuzzy Hash: AB11F876D00118FBCB21DB96DC88EEFFFBCEF85744F1040AAA504A2121D3706A00DBA4
                                                                                Function 004609DB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00460A19
                                                                                • GetSystemMetrics.USER32(00000000), ref: 00460A31
                                                                                • GetSystemMetrics.USER32(00000001), ref: 00460A38
                                                                                • lstrcpyA.KERNEL32(?,DISPLAY), ref: 00460A5C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: System$Metrics$InfoParameterslstrcpy
                                                                                • String ID: B$DISPLAY
                                                                                • API String ID: 1409579217-3316187204
                                                                                • Opcode ID: 92544a67865e79956c7191939567c3bf09aa611fb64778a5aa98bff9e6b92e81
                                                                                • Instruction ID: b6f3742cdbcad88fa81bf7298c33677bdfb62cc56253175d50272c966f63f57e
                                                                                • Opcode Fuzzy Hash: 92544a67865e79956c7191939567c3bf09aa611fb64778a5aa98bff9e6b92e81
                                                                                • Instruction Fuzzy Hash: 0211C672610324AFCF519F94CC8499BBFBCEF19791B004467FC059A246E2B5DA00CBAA
                                                                                Function 0047731B Relevance: 10.5, APIs: 7, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSysColor.USER32(0000000F), ref: 00477327
                                                                                • GetSysColor.USER32(00000010), ref: 0047732E
                                                                                • GetSysColor.USER32(00000014), ref: 00477335
                                                                                • GetSysColor.USER32(00000012), ref: 0047733C
                                                                                • GetSysColor.USER32(00000006), ref: 00477343
                                                                                • GetSysColorBrush.USER32(0000000F), ref: 00477350
                                                                                • GetSysColorBrush.USER32(00000006), ref: 00477357
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Color$Brush
                                                                                • String ID:
                                                                                • API String ID: 2798902688-0
                                                                                • Opcode ID: a58a2a3821aad9f9910b442f734b991c3eded8fc445f87b89ae9fa4e41de6ccd
                                                                                • Instruction ID: 2cef25cf44b60ece385b146d0e5ec3ecdf1b425a2ee51da4f0664f1fb60a5a4c
                                                                                • Opcode Fuzzy Hash: a58a2a3821aad9f9910b442f734b991c3eded8fc445f87b89ae9fa4e41de6ccd
                                                                                • Instruction Fuzzy Hash: 03F01C719407489BD770BFB29D49B4BBAE4FFC4B10F020D2ED2858BA90E6B5A401DF44
                                                                                Function 00417A60 Relevance: 9.2, APIs: 6, Instructions: 176windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$ChildFocusVisible
                                                                                • String ID:
                                                                                • API String ID: 372613587-0
                                                                                • Opcode ID: 8a6c0282328351e9b25e707ed2d1aa4fb2ef7b527566c208047451ddcb9d4f2f
                                                                                • Instruction ID: bb16c596b12c0e5cf22eae30f690d04a0f2ce5c153819b008815721780a8bb22
                                                                                • Opcode Fuzzy Hash: 8a6c0282328351e9b25e707ed2d1aa4fb2ef7b527566c208047451ddcb9d4f2f
                                                                                • Instruction Fuzzy Hash: C0517D716043059FC720EF25C880DABB3F8BF88348F05492EF9559B252DB78E9498BA5
                                                                                Function 00433200 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0043322C
                                                                                  • Part of subcall function 0047118B: InterlockedIncrement.KERNEL32(-000000F4), ref: 004711A0
                                                                                • OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 0043325D
                                                                                • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000), ref: 004332A5
                                                                                • DocumentPropertiesA.WINSPOOL.DRV(?,?,?,00000000,00000000,0000000E), ref: 0043333B
                                                                                • ClosePrinter.WINSPOOL.DRV(?,?,?,?,00000000,00000000,0000000E), ref: 00433370
                                                                                  • Part of subcall function 00471416: InterlockedDecrement.KERNEL32(-000000F4), ref: 0047142A
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DocumentInterlockedProperties$CloseDecrementIncrementMessageOpenPrinterPrinter.Send
                                                                                • String ID:
                                                                                • API String ID: 1978028495-0
                                                                                • Opcode ID: ec7068991d3905ac8eecc7db706bf64f1a5d2e5e45925eafd18774466bb0b679
                                                                                • Instruction ID: ca97010a144181708fe8c5cea391bc646fb274e62e1fb9885e8ea07893d214ba
                                                                                • Opcode Fuzzy Hash: ec7068991d3905ac8eecc7db706bf64f1a5d2e5e45925eafd18774466bb0b679
                                                                                • Instruction Fuzzy Hash: 574129B5104305ABC720DF25C881EEF77A9EF88764F404A1DF84987392D738D949CB6A
                                                                                Function 00429A60 Relevance: 9.1, APIs: 6, Instructions: 124COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CopyRect.USER32(?,00000000), ref: 00429AA2
                                                                                • IsRectEmpty.USER32(?), ref: 00429AD3
                                                                                • OffsetRect.USER32(?,00000000,?), ref: 00429B23
                                                                                • LPtoDP.GDI32(?,?,00000002), ref: 00429B58
                                                                                • GetClientRect.USER32(?,?), ref: 00429B67
                                                                                • IntersectRect.USER32(?,?,?), ref: 00429B7C
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Rect$ClientCopyEmptyIntersectOffset
                                                                                • String ID:
                                                                                • API String ID: 1743551499-0
                                                                                • Opcode ID: 8e76b1244c17516a45adb06e627a0e922e1092a8ca7f8b4f87f46b9e9cdbf64c
                                                                                • Instruction ID: bd3a679f251095f51495ea2364d2c4c3797c8b53ddd4b3e5e36d2f2b9cec77fb
                                                                                • Opcode Fuzzy Hash: 8e76b1244c17516a45adb06e627a0e922e1092a8ca7f8b4f87f46b9e9cdbf64c
                                                                                • Instruction Fuzzy Hash: FC411AB66187019FC318CF69D88096BB7E9FBC8710F048A2EF956C7251DB74D909CB62
                                                                                Function 0041F0B0 Relevance: 9.1, APIs: 6, Instructions: 100COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041F020: CreateDIBitmap.GDI32(?,?,00000004,?,?,00000000), ref: 0041F09B
                                                                                • CreateCompatibleDC.GDI32(?), ref: 0041F10A
                                                                                • DeleteObject.GDI32(00000000), ref: 0041F11F
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Create$BitmapCompatibleDeleteObject
                                                                                • String ID:
                                                                                • API String ID: 3709961035-0
                                                                                • Opcode ID: 93a4151f8b778894cdd70d02ae2cf38c429d520ac03b6037c0b94f7b92ba3d2b
                                                                                • Instruction ID: 6f3f17f7978d440e063501b17b8c08c2bd89ab3fd6cea7901ec28b90cb460b2b
                                                                                • Opcode Fuzzy Hash: 93a4151f8b778894cdd70d02ae2cf38c429d520ac03b6037c0b94f7b92ba3d2b
                                                                                • Instruction Fuzzy Hash: BE3173762047409FC310DF69D984F5BB7E8FB89724F108A2EF55983381DB39E8098766
                                                                                Function 0047ABB0 Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TlsGetValue.KERNEL32(00000000,0051A4BC,00000000,?,00000000,?,0047AE18,0051A4BC,00000000,?,00000000,0047A82F,0047A12E,0047A84B,00476126,004773C2), ref: 0047ABBB
                                                                                • EnterCriticalSection.KERNEL32(0000001C,00000010,?,00000000,?,0047AE18,0051A4BC,00000000,?,00000000,0047A82F,0047A12E,0047A84B,00476126,004773C2), ref: 0047AC0A
                                                                                • LeaveCriticalSection.KERNEL32(0000001C,00000000,?,00000000,?,0047AE18,0051A4BC,00000000,?,00000000,0047A82F,0047A12E,0047A84B,00476126,004773C2), ref: 0047AC1D
                                                                                • LocalAlloc.KERNEL32(00000000,?,?,00000000,?,0047AE18,0051A4BC,00000000,?,00000000,0047A82F,0047A12E,0047A84B,00476126,004773C2), ref: 0047AC33
                                                                                • LocalReAlloc.KERNEL32(?,?,00000002,?,00000000,?,0047AE18,0051A4BC,00000000,?,00000000,0047A82F,0047A12E,0047A84B,00476126,004773C2), ref: 0047AC45
                                                                                • TlsSetValue.KERNEL32(00000000,00000000), ref: 0047AC81
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocCriticalLocalSectionValue$EnterLeave
                                                                                • String ID:
                                                                                • API String ID: 4117633390-0
                                                                                • Opcode ID: 33a1f9ab3c87f1b1cd77c6540df78440d74931dab3cc581fb799a306892d302e
                                                                                • Instruction ID: 4ab6ae8ff67a6025013d40401f3715a3899d62dd382f0d20cb94c317050ee652
                                                                                • Opcode Fuzzy Hash: 33a1f9ab3c87f1b1cd77c6540df78440d74931dab3cc581fb799a306892d302e
                                                                                • Instruction Fuzzy Hash: 2131C271100605AFD724CF15C889FAAB7E8FF84364F00C92EE51AC7640E775E819CB5A
                                                                                Function 00473B22 Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 00473B27
                                                                                • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00473B74
                                                                                • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00473B96
                                                                                • GetCapture.USER32 ref: 00473BA8
                                                                                • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00473BB7
                                                                                • WinHelpA.USER32(?,?,?,?), ref: 00473BCB
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend$CaptureH_prologHelp
                                                                                • String ID:
                                                                                • API String ID: 432264411-0
                                                                                • Opcode ID: 2806fd6ea49f7c3922771f4d03cc515cb6d0147371629576b819bbfa8f042c8e
                                                                                • Instruction ID: 6d5422c4d33b506628c1522f307ec8bf6054d7a9e0dd56f1c79e164d4f743655
                                                                                • Opcode Fuzzy Hash: 2806fd6ea49f7c3922771f4d03cc515cb6d0147371629576b819bbfa8f042c8e
                                                                                • Instruction Fuzzy Hash: 8521E571640208BFEB20AF61CC85FBE76B9EF44748F10862DF1199B1E2CB759D009B54
                                                                                Function 00478FC7 Relevance: 9.1, APIs: 6, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetParent.USER32(?), ref: 00478FFA
                                                                                • GetLastActivePopup.USER32(?), ref: 00479009
                                                                                • IsWindowEnabled.USER32(?), ref: 0047901E
                                                                                • EnableWindow.USER32(?,00000000), ref: 00479031
                                                                                • GetWindowLongA.USER32(?,000000F0), ref: 00479043
                                                                                • GetParent.USER32(?), ref: 00479051
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
                                                                                • String ID:
                                                                                • API String ID: 670545878-0
                                                                                • Opcode ID: fc03eead2d1831e5dcce7a925296d57d5bce9d5cc3706b5d3440cbb1e1f75017
                                                                                • Instruction ID: 306960c9b9f82c95336da914b788e918744c3fa3e8904266bdbb70e06c214a23
                                                                                • Opcode Fuzzy Hash: fc03eead2d1831e5dcce7a925296d57d5bce9d5cc3706b5d3440cbb1e1f75017
                                                                                • Instruction Fuzzy Hash: 4E11C6326613615796B15E695C44FAFB3AC9F55F51F05812EED08E3300DB28CC0183ED
                                                                                Function 0042C730 Relevance: 9.1, APIs: 6, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCursorPos.USER32(?), ref: 0042C752
                                                                                • ScreenToClient.USER32(00000001,?), ref: 0042C761
                                                                                  • Part of subcall function 0042C7E0: DPtoLP.GDI32(?,?,00000001), ref: 0042C8F7
                                                                                • LoadCursorA.USER32(00000000,00007F85), ref: 0042C791
                                                                                • SetCursor.USER32(00000000), ref: 0042C798
                                                                                • LoadCursorA.USER32(00000000,00007F84), ref: 0042C7B7
                                                                                • SetCursor.USER32(00000000), ref: 0042C7BE
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Cursor$Load$ClientScreen
                                                                                • String ID:
                                                                                • API String ID: 789353160-0
                                                                                • Opcode ID: ada83e27c1795162a8ff2465344e1172f93ec26adbb87773cfa476b482060837
                                                                                • Instruction ID: 2a9546ff0cf2e49e0f60108d2f32204b8a95b6a530c96c48dcdfbe8ef4dfb3c8
                                                                                • Opcode Fuzzy Hash: ada83e27c1795162a8ff2465344e1172f93ec26adbb87773cfa476b482060837
                                                                                • Instruction Fuzzy Hash: EA11A535654312ABC650DB64EC89E9F73A8AF94F15F00492EF546C6280EB74D90CCBB7
                                                                                Function 004099D0 Relevance: 9.1, APIs: 6, Instructions: 54windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(?,0000110A,00000002,?), ref: 004099EB
                                                                                • SendMessageA.USER32(?,00001101,00000000,00000000), ref: 004099FD
                                                                                • SendMessageA.USER32(?,0000110A,00000002,?), ref: 00409A0B
                                                                                • SendMessageA.USER32(?,0000110A,00000001,?), ref: 00409A1D
                                                                                • SendMessageA.USER32(?,00001101,00000000,00000000), ref: 00409A2F
                                                                                • SendMessageA.USER32(?,0000110A,00000001,?), ref: 00409A3D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID:
                                                                                • API String ID: 3850602802-0
                                                                                • Opcode ID: 133d26b22a3130ff4542d3e0f48d2eea80f351cc3097cbdf2f7af533ed5693d0
                                                                                • Instruction ID: ee0772fc05c6400be0ad4b1873380546aecd196e175bd684b20db392d3a28ec2
                                                                                • Opcode Fuzzy Hash: 133d26b22a3130ff4542d3e0f48d2eea80f351cc3097cbdf2f7af533ed5693d0
                                                                                • Instruction Fuzzy Hash: D00186B27503057EF534DA699CC2FA7A2AD9F98B51F008619B701EB2C0C5F5EC414B70
                                                                                Function 004789CC Relevance: 9.0, APIs: 6, Instructions: 48windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFocus.USER32 ref: 004789CF
                                                                                  • Part of subcall function 00478871: GetWindowLongA.USER32(00000000,000000F0), ref: 00478882
                                                                                • GetParent.USER32(00000000), ref: 004789F6
                                                                                  • Part of subcall function 00478871: GetClassNameA.USER32(00000000,?,0000000A), ref: 0047889D
                                                                                  • Part of subcall function 00478871: lstrcmpiA.KERNEL32(?,combobox), ref: 004788AC
                                                                                • GetWindowLongA.USER32(?,000000F0), ref: 00478A11
                                                                                • GetParent.USER32(?), ref: 00478A1F
                                                                                • GetDesktopWindow.USER32 ref: 00478A23
                                                                                • SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 00478A37
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$LongParent$ClassDesktopFocusMessageNameSendlstrcmpi
                                                                                • String ID:
                                                                                • API String ID: 2818563221-0
                                                                                • Opcode ID: a43a6b71186a3a17e73452defbb75b076c179080453ec623488e5ead03ab6071
                                                                                • Instruction ID: d7f564f3d80e53fff4acdfd6527964d116c44dd12120e1f5e749313b05157627
                                                                                • Opcode Fuzzy Hash: a43a6b71186a3a17e73452defbb75b076c179080453ec623488e5ead03ab6071
                                                                                • Instruction Fuzzy Hash: F1F0A4326C0621A7D232A6255C8CFEF6258AF81F90F15852FF919A73D0DF18DC0146BD
                                                                                Function 004788E6 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ClientToScreen.USER32(?,?), ref: 004788F5
                                                                                • GetWindow.USER32(?,00000005), ref: 00478906
                                                                                • GetDlgCtrlID.USER32(00000000), ref: 0047890F
                                                                                • GetWindowLongA.USER32(00000000,000000F0), ref: 0047891E
                                                                                • GetWindowRect.USER32(00000000,?), ref: 00478930
                                                                                • PtInRect.USER32(?,?,?), ref: 00478940
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$Rect$ClientCtrlLongScreen
                                                                                • String ID:
                                                                                • API String ID: 1315500227-0
                                                                                • Opcode ID: db058719d9ae77dfdaa6f857061e08932f6f5a30abbac4ac40eaf5082ea10b3b
                                                                                • Instruction ID: b82978f4404474fd73478a6bbead52f5e023de98caa434e5583676361a84388b
                                                                                • Opcode Fuzzy Hash: db058719d9ae77dfdaa6f857061e08932f6f5a30abbac4ac40eaf5082ea10b3b
                                                                                • Instruction Fuzzy Hash: 8C0171B218011AABDB115B549C0CEFF3768EF05B10F048839FA19A11A0EB3499169799
                                                                                Function 0040A1F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 169windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00477EE4: __EH_prolog.LIBCMT ref: 00477EE9
                                                                                  • Part of subcall function 00477EE4: BeginPaint.USER32(?,?,?,?,00407489), ref: 00477F12
                                                                                  • Part of subcall function 00477A95: GetClipBox.GDI32(?,?), ref: 00477A9C
                                                                                • IsRectEmpty.USER32(?), ref: 0040A236
                                                                                • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0040A2BD
                                                                                • GetCurrentObject.GDI32(?,00000006), ref: 0040A34A
                                                                                • GetClientRect.USER32(?,?), ref: 0040A3BC
                                                                                  • Part of subcall function 00477F56: __EH_prolog.LIBCMT ref: 00477F5B
                                                                                  • Part of subcall function 00477F56: EndPaint.USER32(?,?,?,?,00407503), ref: 00477F78
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologPaintRect$BeginClientClipCurrentEmptyObject
                                                                                • String ID: \VO
                                                                                • API String ID: 3717962522-2422581269
                                                                                • Opcode ID: cfe7148ca181c22940f6768df8a20795e4e9d604ed636a32b2c3e9ca6d84ceb7
                                                                                • Instruction ID: 474253ae1ef768a4ae09072bc2a0d7472f43f811c21447b85e6cebe019d57f94
                                                                                • Opcode Fuzzy Hash: cfe7148ca181c22940f6768df8a20795e4e9d604ed636a32b2c3e9ca6d84ceb7
                                                                                • Instruction Fuzzy Hash: 8C617C711083419FC324EF25C855FABB7E8EB98714F40892EF59A83291DB78E909CB57
                                                                                Function 00434550 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 150windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindow.USER32(?), ref: 004345B9
                                                                                • SendMessageA.USER32(?,00000111,?,?), ref: 00434679
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSendWindow
                                                                                • String ID: xbP$xbP$xbP
                                                                                • API String ID: 701072176-513826123
                                                                                • Opcode ID: 465348d3c645543bc299fd9dbeb98de5cc56cbca78e8fdd467b59b9e346e0f31
                                                                                • Instruction ID: 2a2e48c1518b9720d4ad33c11a777d444eb5be4864d24ece92a9eea03154ccb5
                                                                                • Opcode Fuzzy Hash: 465348d3c645543bc299fd9dbeb98de5cc56cbca78e8fdd467b59b9e346e0f31
                                                                                • Instruction Fuzzy Hash: 2441E5367002015BDB149E2A9C81BFF73A4EBCA324F54513FF904C6381D66DEC498766
                                                                                Function 00465CEE Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetVersionExA.KERNEL32 ref: 00465D0D
                                                                                • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00465D42
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00465DA2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: EnvironmentFileModuleNameVariableVersion
                                                                                • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                                • API String ID: 1385375860-4131005785
                                                                                • Opcode ID: ea07d74dff9601dd6729374ec5c162a70e4d5f69d43cc85151fc0c291c61e57b
                                                                                • Instruction ID: 5e41485a9fb421a23fc31160a342d5255a634354a085955b2d94d7803e309790
                                                                                • Opcode Fuzzy Hash: ea07d74dff9601dd6729374ec5c162a70e4d5f69d43cc85151fc0c291c61e57b
                                                                                • Instruction Fuzzy Hash: 003118719016486AEF3187749C59BDF37689B06304F5444DBD085D52C2F67D8E85CB1B
                                                                                Function 0042D180 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindow.USER32(?), ref: 0042D1F4
                                                                                • SendMessageA.USER32(?,000000B1,?,000000FF), ref: 0042D24D
                                                                                • SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0042D25C
                                                                                • SendMessageA.USER32(?,000000C2,00000000,?), ref: 0042D28A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend$Window
                                                                                • String ID: \VO
                                                                                • API String ID: 2326795674-2422581269
                                                                                • Opcode ID: 49511954d75018c5e553bf4b8cc517f7588575ccd6593bf643b1d8cebfd6da8a
                                                                                • Instruction ID: 46cf872f3f66d90519b4ea261d8a0bc57440fdf0faf768798cba680202627916
                                                                                • Opcode Fuzzy Hash: 49511954d75018c5e553bf4b8cc517f7588575ccd6593bf643b1d8cebfd6da8a
                                                                                • Instruction Fuzzy Hash: 5B41A372644751DBD320DB59D840B5BB7D4EB94710F448A5EF495873D1C378D408CBA6
                                                                                Function 00473510 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(00000000,00000405,00000000,?), ref: 004735C9
                                                                                • GetWindowLongA.USER32(?,000000FC), ref: 004735DA
                                                                                • GetWindowLongA.USER32(?,000000FC), ref: 004735EA
                                                                                • SetWindowLongA.USER32(?,000000FC,?), ref: 00473606
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LongWindow$MessageSend
                                                                                • String ID: (
                                                                                • API String ID: 2178440468-3887548279
                                                                                • Opcode ID: 71a653b974616c0dd4e33500b1673da93b34ce0bf1909815758ec7880ca53585
                                                                                • Instruction ID: 7d3766404ba413d65f4c151c9af4cbed576f01b85d82abc5dba8b0f4bbb2de90
                                                                                • Opcode Fuzzy Hash: 71a653b974616c0dd4e33500b1673da93b34ce0bf1909815758ec7880ca53585
                                                                                • Instruction Fuzzy Hash: E8310470600700AFDB20AF69C945BAEBBF5FF44715F10852EE549A7391DB38E9048B99
                                                                                Function 0047B667 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0047B698
                                                                                  • Part of subcall function 0047B784: lstrlenA.KERNEL32(00000104,00000000,?,0047B6C8), ref: 0047B7BB
                                                                                • lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0047B739
                                                                                • lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0047B766
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileModuleNamelstrcatlstrcpylstrlen
                                                                                • String ID: .HLP$.INI
                                                                                • API String ID: 2421895198-3011182340
                                                                                • Opcode ID: 03aa441e8f36a40aa0b0080d2966bf85189b0513c32a9b860623e2ceee1860a8
                                                                                • Instruction ID: 91b3b58434f680409ace84902381da1db0f6636f7247d68cf68f52cca6364cdc
                                                                                • Opcode Fuzzy Hash: 03aa441e8f36a40aa0b0080d2966bf85189b0513c32a9b860623e2ceee1860a8
                                                                                • Instruction Fuzzy Hash: B3319275904718AFDB20EF75D885BC6B7FCEF04304F10896BE199D2151EB78AA84CB54
                                                                                Function 0041DCA0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Global$Size$LockUnlock
                                                                                • String ID: BM
                                                                                • API String ID: 2233901773-2348483157
                                                                                • Opcode ID: a5107ad4b284dcc5fc03810f8d1788f072d9878de327c7c5a8a37d85a743f303
                                                                                • Instruction ID: 7c17986d419e6b422a183d29a7b9a15c13cbdf0aa0fdb924cc9e9f1f98fb6990
                                                                                • Opcode Fuzzy Hash: a5107ad4b284dcc5fc03810f8d1788f072d9878de327c7c5a8a37d85a743f303
                                                                                • Instruction Fuzzy Hash: 3921A476900254ABC710DF99D845BDEBBB8FF48720F10426EE819F3391D77859408BA9
                                                                                Function 00441E90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemMetrics.USER32(0000002D), ref: 00441EB9
                                                                                • SystemParametersInfoA.USER32 ref: 00441F13
                                                                                • CreateFontIndirectA.GDI32(?), ref: 00441F21
                                                                                • CreatePalette.GDI32(00000300), ref: 00441F79
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateSystem$FontIndirectInfoMetricsPaletteParameters
                                                                                • String ID: T1O
                                                                                • API String ID: 934993634-3033138381
                                                                                • Opcode ID: 7a966f36f23f7e382abaf7ba26d8d5a4f97cf0e2390176339ab9f28b610ba8ae
                                                                                • Instruction ID: 19617e9a6c9bf552c3a79fea8c1a8d7140cae78d895a9b968e27c9bf6f537121
                                                                                • Opcode Fuzzy Hash: 7a966f36f23f7e382abaf7ba26d8d5a4f97cf0e2390176339ab9f28b610ba8ae
                                                                                • Instruction Fuzzy Hash: C1318E75104B808FD320CF29C988ADBFBF5FF85308F40896EE29A8B651DB75A449CB11
                                                                                Function 00473A28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf$ClassInfo
                                                                                • String ID: Afx:%x:%x$Afx:%x:%x:%x:%x:%x
                                                                                • API String ID: 845911565-79760390
                                                                                • Opcode ID: f54a8fc83c1011cfc085a0d098967c483da68277522d01b4379f6d157d018e5a
                                                                                • Instruction ID: 6ea9788f14ddcf9242bbab710ec52391ef120b2420bf06cb95be39599d388c72
                                                                                • Opcode Fuzzy Hash: f54a8fc83c1011cfc085a0d098967c483da68277522d01b4379f6d157d018e5a
                                                                                • Instruction Fuzzy Hash: C4210E71D00209AF8F10DF99DC859EF7BB8EF49355B00842FF909A2201D7759A51DFA9
                                                                                Function 004162F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Shell_NotifyIconA.SHELL32(00000001,?,?,00000058), ref: 00416369
                                                                                • DestroyIcon.USER32(?,?,?,00000058), ref: 00416376
                                                                                • Shell_NotifyIconA.SHELL32(?,?,00000000,00000058), ref: 004163A9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Icon$NotifyShell_$Destroy
                                                                                • String ID: X$d
                                                                                • API String ID: 944232879-651813629
                                                                                • Opcode ID: 7722b9a4f4c03d6e67f1f7fa6c719532c2ecf10fccce330a19e675eefbccbcaf
                                                                                • Instruction ID: 8a4a884cc1f4ae3e10fcba756162d3f7778dc1e5a27c2367a493320ea0f24b33
                                                                                • Opcode Fuzzy Hash: 7722b9a4f4c03d6e67f1f7fa6c719532c2ecf10fccce330a19e675eefbccbcaf
                                                                                • Instruction Fuzzy Hash: 57215C75608700AFE350DF19D804B9BBBE9BFD4704F00891EB9D893390EBB5D9588B96
                                                                                Function 00472080 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowLongA.USER32(?,000000F0), ref: 004720C1
                                                                                • GetDlgItem.USER32(?,00000002), ref: 004720E0
                                                                                • IsWindowEnabled.USER32(00000000), ref: 004720EB
                                                                                • SendMessageA.USER32(?,00000111,00000002,00000000), ref: 00472101
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$EnabledItemLongMessageSend
                                                                                • String ID: Edit
                                                                                • API String ID: 3499652902-554135844
                                                                                • Opcode ID: 95b5a31261601f3ab02bfa5c90586a9f76cd3ad7f35a9da7127be285fdff7172
                                                                                • Instruction ID: 9911f1a79d4ed03f00a0681194788acbcdf8697d4a65494979a04c41696bd65a
                                                                                • Opcode Fuzzy Hash: 95b5a31261601f3ab02bfa5c90586a9f76cd3ad7f35a9da7127be285fdff7172
                                                                                • Instruction Fuzzy Hash: 9601C8302402117AEA345A25CE09BEF7B64FF41B14F50C92BF609E22E1DBE8DC45CA2D
                                                                                Function 0042A2F0 Relevance: 7.7, APIs: 5, Instructions: 229COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Rect$Client$Copy
                                                                                • String ID:
                                                                                • API String ID: 472922470-0
                                                                                • Opcode ID: 94c0f2e6afcdfc1bd51962deb361956ae7109f034d32f9ad5f80e351e898f6b6
                                                                                • Instruction ID: f0c1285175a6668b853d415c7d131b4352f0c0578ab17944900ec7397010f16e
                                                                                • Opcode Fuzzy Hash: 94c0f2e6afcdfc1bd51962deb361956ae7109f034d32f9ad5f80e351e898f6b6
                                                                                • Instruction Fuzzy Hash: 888170713083519FC324EB69D880B6FB7E5BBC8704F90491EF58A87241EA78D8498B67
                                                                                Function 0040BB50 Relevance: 7.7, APIs: 5, Instructions: 159windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Rect$ClientCreateEmptyFill
                                                                                • String ID:
                                                                                • API String ID: 97219908-0
                                                                                • Opcode ID: 918a9007a2d38f8686e368cf99bc8f9c7edbd52d26804ec2b138aab913d9c66d
                                                                                • Instruction ID: b0b6e790513edd1af68f820209ec9d043b6fa56eca7c654f8fa267db77f9f921
                                                                                • Opcode Fuzzy Hash: 918a9007a2d38f8686e368cf99bc8f9c7edbd52d26804ec2b138aab913d9c66d
                                                                                • Instruction Fuzzy Hash: DD516271214742AFD714DF25C885E6BB3E9FF84704F00892EF55993281DB78E808CBAA
                                                                                Function 00465A37 Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetStartupInfoA.KERNEL32(?), ref: 00465A95
                                                                                • GetFileType.KERNEL32(?,?,00000000), ref: 00465B40
                                                                                • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00465BA3
                                                                                • GetFileType.KERNEL32(00000000,?,00000000), ref: 00465BB1
                                                                                • SetHandleCount.KERNEL32 ref: 00465BE8
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileHandleType$CountInfoStartup
                                                                                • String ID:
                                                                                • API String ID: 1710529072-0
                                                                                • Opcode ID: 6ad41282d2625491f7e0a53f88d2ac9c428aee7c1d36388a5de60aeb16bb1178
                                                                                • Instruction ID: a78537c471bcbadaae6a51c9efbd63af8d3e36fd870dad2b93cc080a74d30bf6
                                                                                • Opcode Fuzzy Hash: 6ad41282d2625491f7e0a53f88d2ac9c428aee7c1d36388a5de60aeb16bb1178
                                                                                • Instruction Fuzzy Hash: 1351E771504A018FC7218B78D8847667BE4AB11B29F28476ED5A2CB2E1F778AC09D71B
                                                                                Function 0045F990 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,00000000,?,?,?,0045F1A6,00000000), ref: 0045F9B4
                                                                                  • Part of subcall function 0045F8B0: WriteFile.KERNEL32(0045F9DC,?,00000002,?), ref: 0045F8D4
                                                                                • CloseHandle.KERNEL32(00000000,00000000,?,?,?,?,0045F1A6,00000000,?,?,?,?,?,00000003,?), ref: 0045F9E1
                                                                                • WriteFile.KERNEL32(00000000,?,00000010,?,00000000,?,00000000), ref: 0045FA7F
                                                                                • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,?,?,?,?,0045F1A6,00000000,?), ref: 0045FAD4
                                                                                • CloseHandle.KERNEL32(?,00000000,?,?,?,?,0045F1A6,00000000,?,?,?,?,?,00000003,?), ref: 0045FB01
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$Write$CloseHandle$Create
                                                                                • String ID:
                                                                                • API String ID: 3850996263-0
                                                                                • Opcode ID: eed810e7deda5275f21c5c7f648a47e70229db3339725e19607d5cc81075127d
                                                                                • Instruction ID: 5740aed00236501e6cc2cf7219e402e70938c91831d051f6d58866dfcdf51a9b
                                                                                • Opcode Fuzzy Hash: eed810e7deda5275f21c5c7f648a47e70229db3339725e19607d5cc81075127d
                                                                                • Instruction Fuzzy Hash: 65414971208342ABD324DF64D888B6BF7E8EF98305F10092DF99587342D364E90CCBA6
                                                                                Function 00416FF0 Relevance: 7.6, APIs: 5, Instructions: 104windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindow.USER32(?), ref: 004170C0
                                                                                • WinHelpA.USER32(?,00000000,00000002,00000000), ref: 004170DB
                                                                                • GetMenu.USER32(?), ref: 004170EB
                                                                                • SetMenu.USER32(?,00000000), ref: 004170F8
                                                                                • DestroyMenu.USER32(00000000), ref: 00417103
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Menu$DestroyHelpWindow
                                                                                • String ID:
                                                                                • API String ID: 427501538-0
                                                                                • Opcode ID: ac906b6202dcbc346569720b558076221f140322cae316f149bad285d3a8cc59
                                                                                • Instruction ID: ea224330ad742797991e0e1692febec797dc60a484b7df87ddeac0bd0110c4fe
                                                                                • Opcode Fuzzy Hash: ac906b6202dcbc346569720b558076221f140322cae316f149bad285d3a8cc59
                                                                                • Instruction Fuzzy Hash: C731C7716043096BC314AF66CC45EAFBBBCFF49348F05091EF90593241DB39B8958BA9
                                                                                Function 00422A60 Relevance: 7.6, APIs: 5, Instructions: 103synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • midiStreamStop.WINMM(?,00000000,?,00000000,004225CA,00000000,005057D0,00414F56,005057D0,?,00414DFF,005057D0,00412DB6,00000001,00000000,000000FF), ref: 00422A95
                                                                                • midiOutReset.WINMM(?,?,00414DFF,005057D0,00412DB6,00000001,00000000,000000FF), ref: 00422AB3
                                                                                • WaitForSingleObject.KERNEL32(?,000007D0,?,00414DFF,005057D0,00412DB6,00000001,00000000,000000FF), ref: 00422AD6
                                                                                • midiStreamClose.WINMM(?,?,00414DFF,005057D0,00412DB6,00000001,00000000,000000FF), ref: 00422B13
                                                                                • midiStreamClose.WINMM(?,?,00414DFF,005057D0,00412DB6,00000001,00000000,000000FF), ref: 00422B47
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: midi$Stream$Close$ObjectResetSingleStopWait
                                                                                • String ID:
                                                                                • API String ID: 3142198506-0
                                                                                • Opcode ID: 6b3b54964f08d9fe8f0ca6423ab8d61fb40268fd61be1ee63eb23db956633a04
                                                                                • Instruction ID: e705a0a11c53174dce0fa6023e126b315d145eb59caf43c1d7e69b1a4cb34893
                                                                                • Opcode Fuzzy Hash: 6b3b54964f08d9fe8f0ca6423ab8d61fb40268fd61be1ee63eb23db956633a04
                                                                                • Instruction Fuzzy Hash: BE313E72700B219BCB309F69A9C455FB7E5BF947017544A3FE286C6A00C7B8E846CB98
                                                                                Function 00413F10 Relevance: 7.6, APIs: 5, Instructions: 92windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Menu$Destroy$AcceleratorTableWindow
                                                                                • String ID:
                                                                                • API String ID: 1240299919-0
                                                                                • Opcode ID: 8cc4d858e18f7080302e3e9c6356e24eff324c9e05093acf29b536d7feb157ca
                                                                                • Instruction ID: 6fcf1f34a8950d99d13075ba1c4768ff069a6b73ed772d6f054bd9bca95a2fb7
                                                                                • Opcode Fuzzy Hash: 8cc4d858e18f7080302e3e9c6356e24eff324c9e05093acf29b536d7feb157ca
                                                                                • Instruction Fuzzy Hash: A13198B1A003056FC720EF66DC44D6B77B8EF85758F02492DFD0597242EA38E809CBA5
                                                                                Function 00418D70 Relevance: 7.6, APIs: 5, Instructions: 90COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsChild.USER32(?,?), ref: 00418D8C
                                                                                  • Part of subcall function 0040E6D0: IsChild.USER32(?,?), ref: 0040E74D
                                                                                  • Part of subcall function 0040E6D0: GetParent.USER32(?), ref: 0040E767
                                                                                • GetCursorPos.USER32(?), ref: 00418DA4
                                                                                • GetClientRect.USER32(?,?), ref: 00418DB3
                                                                                • PtInRect.USER32(?,?,?), ref: 00418DD4
                                                                                • SetCursor.USER32(?,?,00000000,?,?,?,?,00418A00), ref: 00418E52
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ChildCursorRect$ClientParent
                                                                                • String ID:
                                                                                • API String ID: 1110532797-0
                                                                                • Opcode ID: 7097b24e5ecbf9d06d8e486ba81364cf802807eb91742df89d1d3d53767b26f7
                                                                                • Instruction ID: 9b19a506daec7c76f0880b13d1c77013ede7635c09223fc3fd92456753349406
                                                                                • Opcode Fuzzy Hash: 7097b24e5ecbf9d06d8e486ba81364cf802807eb91742df89d1d3d53767b26f7
                                                                                • Instruction Fuzzy Hash: 9D21B4726003016FC720EB25DC45F9F73F8AF94B14F144A2EF945E7281EA38E94587A9
                                                                                Function 00406950 Relevance: 7.6, APIs: 5, Instructions: 86COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00477E30: __EH_prolog.LIBCMT ref: 00477E35
                                                                                  • Part of subcall function 00477E30: GetWindowDC.USER32(?,?,?,00406981), ref: 00477E5E
                                                                                • GetClientRect.USER32 ref: 00406992
                                                                                • GetWindowRect.USER32(?,?), ref: 004069A1
                                                                                  • Part of subcall function 00477BEA: ScreenToClient.USER32(?,00000000), ref: 00477BFE
                                                                                  • Part of subcall function 00477BEA: ScreenToClient.USER32(?,00000008), ref: 00477C07
                                                                                • OffsetRect.USER32(?,?,?), ref: 004069CC
                                                                                  • Part of subcall function 00477B27: ExcludeClipRect.GDI32(?,?,?,?,?,7694A5C0,?,?,004069DC,?), ref: 00477B4C
                                                                                  • Part of subcall function 00477B27: ExcludeClipRect.GDI32(?,?,?,?,?,7694A5C0,?,?,004069DC,?), ref: 00477B61
                                                                                • OffsetRect.USER32(?,?,?), ref: 004069EF
                                                                                • FillRect.USER32(?,?,?), ref: 00406A0A
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Rect$Client$ClipExcludeOffsetScreenWindow$FillH_prolog
                                                                                • String ID:
                                                                                • API String ID: 2829754061-0
                                                                                • Opcode ID: c738cfb8676412fdb4e0a56ff11d419ca13dc1501c020e851cab6cce927af71d
                                                                                • Instruction ID: eee0c987fc614536d2daa9374927ce5fe99d7396ce8cb420638cc8a01fe91ff9
                                                                                • Opcode Fuzzy Hash: c738cfb8676412fdb4e0a56ff11d419ca13dc1501c020e851cab6cce927af71d
                                                                                • Instruction Fuzzy Hash: 213184B5218301AFD714DF14C845EABB7E9EBC4714F008E1DF59A97290DB34E905CB56
                                                                                Function 00409950 Relevance: 7.6, APIs: 5, Instructions: 56windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0046FF40: SendMessageA.USER32(?,0000110C,00000000,00000040), ref: 0046FF61
                                                                                • SendMessageA.USER32(?,0000110A,00000004,?), ref: 00409975
                                                                                • SendMessageA.USER32(?,0000110A,00000004,00000000), ref: 00409995
                                                                                • SendMessageA.USER32(?,00001101,00000000,00000000), ref: 004099A7
                                                                                • SendMessageA.USER32(?,0000110A,00000004,00000000), ref: 004099B5
                                                                                • SendMessageA.USER32(?,00001101,00000000,00000000), ref: 004099C7
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID:
                                                                                • API String ID: 3850602802-0
                                                                                • Opcode ID: ab67c1cb1104f1d5a713625efd013d28bf64115f8ba2a987784984193f5be86c
                                                                                • Instruction ID: 07a1db4b6557d881dfa859639065baa88a573200386c9e97a9dbd01fe48328c6
                                                                                • Opcode Fuzzy Hash: ab67c1cb1104f1d5a713625efd013d28bf64115f8ba2a987784984193f5be86c
                                                                                • Instruction Fuzzy Hash: 9F018FF27407053AE634AA669CC1F6792AC9F94B55F00092EB741AB3C5DAF8EC064678
                                                                                Function 00473987 Relevance: 7.6, APIs: 5, Instructions: 52stringregistryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 0047398C
                                                                                • GetClassInfoA.USER32(?,?,?), ref: 004739A7
                                                                                • RegisterClassA.USER32(?), ref: 004739B2
                                                                                • lstrcatA.KERNEL32(00000034,?,00000001), ref: 004739E9
                                                                                • lstrcatA.KERNEL32(00000034,?), ref: 004739F7
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Classlstrcat$H_prologInfoRegister
                                                                                • String ID:
                                                                                • API String ID: 106226465-0
                                                                                • Opcode ID: df358d1c3a3c9fdfb965a767acf4d16736bf97d716d1a91b456bf5f7ed8b59cc
                                                                                • Instruction ID: c7af577bfda2311b3ce93856460fac526ed147dac0ea54cfca751778f9469f54
                                                                                • Opcode Fuzzy Hash: df358d1c3a3c9fdfb965a767acf4d16736bf97d716d1a91b456bf5f7ed8b59cc
                                                                                • Instruction Fuzzy Hash: 08114872500204BECB10EF718C01BEE7FB8EF44318F00892FF809A7191D7789A049BA9
                                                                                Function 00465C5A Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(00000103,7FFFFFFF,004630C2,00464DFB,00000000,?,?,00000000,00000001), ref: 00465C5C
                                                                                • TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 00465C6A
                                                                                • SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 00465CB6
                                                                                  • Part of subcall function 00463472: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00465C7F,00000001,00000074,?,?,00000000,00000001), ref: 00463568
                                                                                • TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00465C8E
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00465C9F
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastValue$AllocCurrentHeapThread
                                                                                • String ID:
                                                                                • API String ID: 2020098873-0
                                                                                • Opcode ID: d22401dc1213226e7c3ceef3b87f96fb918f2d23230bc1dabba43767e6f7fab9
                                                                                • Instruction ID: e115db0091c0705883853dd79ce4c1cc3ab505c96ef8448535080f619c3c52d2
                                                                                • Opcode Fuzzy Hash: d22401dc1213226e7c3ceef3b87f96fb918f2d23230bc1dabba43767e6f7fab9
                                                                                • Instruction Fuzzy Hash: AAF062325027129BD7622B31AC0DA1E3B60AB01771B11092EF941952E0FB6A8845879A
                                                                                Function 004135C0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 291COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: <$`\A
                                                                                • API String ID: 0-3533779597
                                                                                • Opcode ID: ad0aebaef8f7e38166afa2f98e862278ff36d9dece0a2cb9a8d52c3576c31f50
                                                                                • Instruction ID: ce7faf287b8bb78e3ae234feee66ede161724abfa1844a19e1e1c42e7f84d820
                                                                                • Opcode Fuzzy Hash: ad0aebaef8f7e38166afa2f98e862278ff36d9dece0a2cb9a8d52c3576c31f50
                                                                                • Instruction Fuzzy Hash: 58B1A6B15187418FC714CF24C890AABB7E1BBC5311F14892EF5DAD7380DB74DA898B86
                                                                                Function 0041C300 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 244windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041B3E0: InvalidateRect.USER32(?,00000000,00000000), ref: 0041B40A
                                                                                  • Part of subcall function 004737B2: GetWindowTextLengthA.USER32(?), ref: 004737BF
                                                                                  • Part of subcall function 004737B2: GetWindowTextA.USER32(?,00000000,00000000), ref: 004737D7
                                                                                • SendMessageA.USER32(?,000000B0,?,?), ref: 0041C582
                                                                                • SendMessageA.USER32(?,000000B1,?,?), ref: 0041C5BE
                                                                                • SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0041C5CB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend$TextWindow$InvalidateLengthRect
                                                                                • String ID: \VO
                                                                                • API String ID: 2881497910-2422581269
                                                                                • Opcode ID: 31e4b854dbc15c1fa53f5711e76d3ed6941ffa04c3924a3747c3a5f829f790ab
                                                                                • Instruction ID: 6086eebae5186b2b57b8e9b414bfee4723fff071ede089f459321a71d1549631
                                                                                • Opcode Fuzzy Hash: 31e4b854dbc15c1fa53f5711e76d3ed6941ffa04c3924a3747c3a5f829f790ab
                                                                                • Instruction Fuzzy Hash: 4181F7F1548302ABD614DB64DCD1DBF73E8AB84344F148E2FF59582291E638E889C76B
                                                                                Function 0040F120 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00412B20: GetCurrentThreadId.KERNEL32 ref: 00412B45
                                                                                  • Part of subcall function 00412B20: IsWindow.USER32(00000000), ref: 00412B61
                                                                                  • Part of subcall function 00412B20: SendMessageA.USER32(00000000,000083E7,00412451,00000000), ref: 00412B7A
                                                                                  • Part of subcall function 00412B20: ExitProcess.KERNEL32 ref: 00412B8F
                                                                                • DeleteCriticalSection.KERNEL32(00506290,?,?,?,?,?,?,?,?,00414EBD), ref: 0040F15A
                                                                                  • Part of subcall function 00473476: __EH_prolog.LIBCMT ref: 0047347B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalCurrentDeleteExitH_prologMessageProcessSectionSendThreadWindow
                                                                                • String ID: !$#$`\A
                                                                                • API String ID: 2888814780-2661838773
                                                                                • Opcode ID: 062e78243ff93cf5c0e6832bc7945e3024dd77ec5527ef1cda715c22e9d473f9
                                                                                • Instruction ID: 923d0d47f0203151a878fdb31e224976cfad0f4189bfc8f6c860de677049e1d4
                                                                                • Opcode Fuzzy Hash: 062e78243ff93cf5c0e6832bc7945e3024dd77ec5527ef1cda715c22e9d473f9
                                                                                • Instruction Fuzzy Hash: 59912F74008B81CED312EF75C45479BBFE4AFA5308F54485EE4DA07392DBB96248CBA6
                                                                                Function 0042D8B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • wsprintfA.USER32 ref: 0042D8EF
                                                                                • CreateFontIndirectA.GDI32(00000028), ref: 0042D958
                                                                                • GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0042D99F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateExtentFontIndirectPoint32Textwsprintf
                                                                                • String ID: (
                                                                                • API String ID: 3175173087-3887548279
                                                                                • Opcode ID: 299b925808a7e7a92dbdedcc0387106de36e4c50e49d52bfb2bcf69a00837a6f
                                                                                • Instruction ID: dab4ecaa91b9f72f48b9694423ea9894d7cd8dce00644c7cfcac5791a4074aae
                                                                                • Opcode Fuzzy Hash: 299b925808a7e7a92dbdedcc0387106de36e4c50e49d52bfb2bcf69a00837a6f
                                                                                • Instruction Fuzzy Hash: 4951D3712083458FC324CF28D885B6FB7E5FB88304F144A1EF59A83381DBB99949CB96
                                                                                Function 004245F0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 154COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $`\A
                                                                                • API String ID: 0-2008107022
                                                                                • Opcode ID: 7e551758bfe3d387ff134eebcb1ca0ac7451f092d95ae119ecd1f94b83e1ae8f
                                                                                • Instruction ID: a13ea363fb901079675aeaacd131e3a629689ec94de5627d83f294a2c171b3a0
                                                                                • Opcode Fuzzy Hash: 7e551758bfe3d387ff134eebcb1ca0ac7451f092d95ae119ecd1f94b83e1ae8f
                                                                                • Instruction Fuzzy Hash: 7D51BE712047519FC314EF15D880B6BB7A8FBC5358F400A2EF95693290DB38E845CB9A
                                                                                Function 0041EEA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __ftol
                                                                                • String ID: A
                                                                                • API String ID: 495808979-2078354741
                                                                                • Opcode ID: d1d7c8796dd1e0fc7e18fd3c04c0511726537b6201def722743b8b60609e40ea
                                                                                • Instruction ID: 0aa2dff4cff6530d269409322a96791c9cfc400316d17b88a55875f4f6294be8
                                                                                • Opcode Fuzzy Hash: d1d7c8796dd1e0fc7e18fd3c04c0511726537b6201def722743b8b60609e40ea
                                                                                • Instruction Fuzzy Hash: A941C5366093428FC305CF2AC4846EA7BE1FF99308F15457EE8858B352D735D94ACB46
                                                                                Function 00433530 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004737B2: GetWindowTextLengthA.USER32(?), ref: 004737BF
                                                                                  • Part of subcall function 004737B2: GetWindowTextA.USER32(?,00000000,00000000), ref: 004737D7
                                                                                • wsprintfA.USER32 ref: 00433613
                                                                                • SendMessageA.USER32(?,000000B1,00000000,000000FF), ref: 0043363B
                                                                                • SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0043364A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSendTextWindow$Lengthwsprintf
                                                                                • String ID: \VO
                                                                                • API String ID: 1782877324-2422581269
                                                                                • Opcode ID: 9caee4791c6c3e554a1b37e1dfdda0f5d82fe4ecff284b182bc48e2b1d8887b3
                                                                                • Instruction ID: 49f03d078ba073193933987f35b28b69398918e96e40f34d73f7c43643f427b6
                                                                                • Opcode Fuzzy Hash: 9caee4791c6c3e554a1b37e1dfdda0f5d82fe4ecff284b182bc48e2b1d8887b3
                                                                                • Instruction Fuzzy Hash: 4631B475304701ABD308DB29CC52B5FB3A5EB84724F649B2DF166973C0DB78E8058B56
                                                                                Function 00477170 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GlobalLock.KERNEL32 ref: 0047718C
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 004771DF
                                                                                • GlobalUnlock.KERNEL32(?), ref: 00477276
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Global$ByteCharLockMultiUnlockWide
                                                                                • String ID: @
                                                                                • API String ID: 231414890-2766056989
                                                                                • Opcode ID: fda675224f07c068402271ec94c06a72f208673c7e6f695ea28984e3c9d6d041
                                                                                • Instruction ID: 8798f135224ea644b1800b34de8569c5d8ee272eb5da236c064fe979a223e1e8
                                                                                • Opcode Fuzzy Hash: fda675224f07c068402271ec94c06a72f208673c7e6f695ea28984e3c9d6d041
                                                                                • Instruction Fuzzy Hash: A241E672804205EFCB10DF98C8819EEBBB9FF40354F54C56EE8299B255D3399A46CB98
                                                                                Function 00415FE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,00415FC8), ref: 00416039
                                                                                • DestroyIcon.USER32(?), ref: 0041606E
                                                                                • DestroyIcon.USER32(?), ref: 0041607B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DestroyIcon
                                                                                • String ID: `\A
                                                                                • API String ID: 1234817797-2688774508
                                                                                • Opcode ID: 761f47c2a3f37122c1072ff8fb6ec03166ead46a12daddd7b9905a8a9997515d
                                                                                • Instruction ID: 09e9816dcff21b1b804e06b8a58c9b0629c295ab4cb01a2469fa92893a28e424
                                                                                • Opcode Fuzzy Hash: 761f47c2a3f37122c1072ff8fb6ec03166ead46a12daddd7b9905a8a9997515d
                                                                                • Instruction Fuzzy Hash: BA418DB15047819BC320DF29C48179AFBE4BF59318F804A2EE49A53781D77CA508CB6A
                                                                                Function 00409C90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 00409CCB
                                                                                • SendMessageA.USER32(?,00000187,00000000,00000000), ref: 00409CFD
                                                                                  • Part of subcall function 00479459: SendMessageA.USER32(?,0000018A,?,00000000), ref: 00479471
                                                                                  • Part of subcall function 00479459: SendMessageA.USER32(?,00000189,?,00000000), ref: 0047948A
                                                                                • SendMessageA.USER32(?,00000188,00000000,00000000), ref: 00409D5A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: \VO
                                                                                • API String ID: 3850602802-2422581269
                                                                                • Opcode ID: c06985711f85bd6d9bbc47a0798021d997339fa470093162065689ef662c0e2c
                                                                                • Instruction ID: f143268d9e0b6b29eb241e206de38e3cf2d3dc1fce7556eccb965650d86efd69
                                                                                • Opcode Fuzzy Hash: c06985711f85bd6d9bbc47a0798021d997339fa470093162065689ef662c0e2c
                                                                                • Instruction Fuzzy Hash: E6317E74244741AFD224DF2A8881E6BB7F8EFC5714F104A2EF595A7291CB38D8068B26
                                                                                Function 0041477A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DestroyIcon.USER32(?), ref: 004147E7
                                                                                • GetCursorPos.USER32(?), ref: 00414851
                                                                                • SetCursorPos.USER32(?,?), ref: 00414861
                                                                                  • Part of subcall function 0041A590: LoadCursorA.USER32(?,00000408), ref: 0041A603
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Cursor$DestroyIconLoad
                                                                                • String ID: `\A
                                                                                • API String ID: 119682594-2688774508
                                                                                • Opcode ID: ef6170720ba11adb66df67358556cd214e6b983a7c85d236bd498c65f0189d48
                                                                                • Instruction ID: dcddfa23036b98578abdaa4fce896515b70f69de6043bf4d00fd039ac944e299
                                                                                • Opcode Fuzzy Hash: ef6170720ba11adb66df67358556cd214e6b983a7c85d236bd498c65f0189d48
                                                                                • Instruction Fuzzy Hash: 96319EB55043009BC710EF65DC85E9BB7A8ABCA319F00092EF45693242EB38E945CB66
                                                                                Function 00424390 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $`\A
                                                                                • API String ID: 0-2008107022
                                                                                • Opcode ID: daeac239ee1d62d8471d38dfb951b29072305b985e22c23df7f9733d87dc178a
                                                                                • Instruction ID: 848e24b7744dc9c3b43e3cdec458c2a90b6442e17aba5e7475930466da012d1d
                                                                                • Opcode Fuzzy Hash: daeac239ee1d62d8471d38dfb951b29072305b985e22c23df7f9733d87dc178a
                                                                                • Instruction Fuzzy Hash: 96316A712087409FC714EF14D854B6BB7F4FBD4724F804A2EF996A3290D73899068F5A
                                                                                Function 0047B2EA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMenuCheckMarkDimensions.USER32 ref: 0047B2F6
                                                                                • CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 0047B3A5
                                                                                • LoadBitmapA.USER32(00000000,00007FE3), ref: 0047B3BD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
                                                                                • String ID:
                                                                                • API String ID: 2596413745-3916222277
                                                                                • Opcode ID: 5e83080ebf64355408b2e65338068eca4a6151a7688fad9ecd31b7d4ce9c676f
                                                                                • Instruction ID: a45b76971128027f44e9eb6ae6fd7d8625a873a67368b54a9ca8109b8ff00e7e
                                                                                • Opcode Fuzzy Hash: 5e83080ebf64355408b2e65338068eca4a6151a7688fad9ecd31b7d4ce9c676f
                                                                                • Instruction Fuzzy Hash: A2213A71E00215AFDB10CB78DC85BEE7BB9EF40700F058566E909EB282D7349A48CB80
                                                                                Function 00441C30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00441D03
                                                                                  • Part of subcall function 004737B2: GetWindowTextLengthA.USER32(?), ref: 004737BF
                                                                                  • Part of subcall function 004737B2: GetWindowTextA.USER32(?,00000000,00000000), ref: 004737D7
                                                                                • GetParent.USER32(?), ref: 00441CC0
                                                                                • SendMessageA.USER32(?,0000004E,00000000,?), ref: 00441CE5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSendTextWindow$LengthParent
                                                                                • String ID: \VO
                                                                                • API String ID: 484616098-2422581269
                                                                                • Opcode ID: e3d164a2e560d7c2c916d26dca62c8c5460d43233692d99e0e957734983a00bb
                                                                                • Instruction ID: efd056f1778dcc39e12d4f9717203a6543ddbfe9dd98ccfd209597f202be80f9
                                                                                • Opcode Fuzzy Hash: e3d164a2e560d7c2c916d26dca62c8c5460d43233692d99e0e957734983a00bb
                                                                                • Instruction Fuzzy Hash: 2D219FB1644B01AFD320DF19C880B5BB7F4BB88710F108A1EF59A87390D778E9018B59
                                                                                Function 0040AAC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(0047C208,00000142,00000000,FFFF0000), ref: 0040AB52
                                                                                • SendMessageA.USER32(0047C208,0000014D,000000FF,0040AA75), ref: 0040AB70
                                                                                • SendMessageA.USER32(0047C208,0000014E,00000000,00000000), ref: 0040AB83
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: \VO
                                                                                • API String ID: 3850602802-2422581269
                                                                                • Opcode ID: e0b0cac994ff81a42fc1794e52fa775b5c75a5a17ebc694bc2e838f037608d12
                                                                                • Instruction ID: 404d4c7e958285de4ce8751bb6dd8727cd12173663b9bc10eb621aff801b78bc
                                                                                • Opcode Fuzzy Hash: e0b0cac994ff81a42fc1794e52fa775b5c75a5a17ebc694bc2e838f037608d12
                                                                                • Instruction Fuzzy Hash: 5D21AF71204701ABC224DF28DC45FAB77E5AB84720F504B1EF16A933D0CB78A805CB56
                                                                                Function 00407110 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(?,000000B0,?,?), ref: 00407166
                                                                                  • Part of subcall function 004756B5: SetWindowTextA.USER32(?,0041B73A), ref: 004756C3
                                                                                • SendMessageA.USER32(?,000000B1,?,?), ref: 00407183
                                                                                • SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 00407190
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend$TextWindow
                                                                                • String ID: \VO
                                                                                • API String ID: 1596935084-2422581269
                                                                                • Opcode ID: 052b3ca67787d31f5ff75ea2301033b044eb4e8ea23863666ead1434d49d02f4
                                                                                • Instruction ID: aef75d0e84d0180187101b313497eb113f8736dffdcb52cbfc0ae54a304f7dad
                                                                                • Opcode Fuzzy Hash: 052b3ca67787d31f5ff75ea2301033b044eb4e8ea23863666ead1434d49d02f4
                                                                                • Instruction Fuzzy Hash: 21213DB1508745AFD320DF29C880A6BB7F8FB89754F504E1EF19997290C774E8058B56
                                                                                Function 004333D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0046F5C8: __EH_prolog.LIBCMT ref: 0046F5CD
                                                                                  • Part of subcall function 0046F5C8: lstrcpynA.KERNEL32(?,?,00000104), ref: 0046F6BA
                                                                                  • Part of subcall function 0046F762: lstrlenA.KERNEL32(?,?,?,0000000C,?,?,0041CFF9,?,-00000001,00000000,?,?,?,004F0BD0), ref: 0046F76C
                                                                                  • Part of subcall function 0046F762: GetFocus.USER32 ref: 0046F787
                                                                                  • Part of subcall function 0046F762: IsWindowEnabled.USER32(?), ref: 0046F7B0
                                                                                  • Part of subcall function 0046F762: EnableWindow.USER32(?,00000000), ref: 0046F7C2
                                                                                  • Part of subcall function 0046F762: GetOpenFileNameA.COMDLG32(?,?), ref: 0046F7ED
                                                                                  • Part of subcall function 0046F762: EnableWindow.USER32(?,00000001), ref: 0046F80B
                                                                                  • Part of subcall function 0046F762: IsWindow.USER32(?), ref: 0046F811
                                                                                  • Part of subcall function 0046F762: SetFocus.USER32(?), ref: 0046F81F
                                                                                  • Part of subcall function 0046F83D: __EH_prolog.LIBCMT ref: 0046F842
                                                                                  • Part of subcall function 0046F83D: GetParent.USER32(?), ref: 0046F87F
                                                                                  • Part of subcall function 0046F83D: SendMessageA.USER32(?,00000464,00000104,00000000), ref: 0046F8A7
                                                                                  • Part of subcall function 0046F83D: GetParent.USER32(?), ref: 0046F8D0
                                                                                  • Part of subcall function 0046F83D: SendMessageA.USER32(?,00000465,00000104,00000000), ref: 0046F8ED
                                                                                  • Part of subcall function 004756B5: SetWindowTextA.USER32(?,0041B73A), ref: 004756C3
                                                                                  • Part of subcall function 00471416: InterlockedDecrement.KERNEL32(-000000F4), ref: 0047142A
                                                                                • SendMessageA.USER32(?,000000B1,00000000,000000FF), ref: 0043347D
                                                                                • SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0043348C
                                                                                  • Part of subcall function 004757F0: SetFocus.USER32(?,00411BE3), ref: 004757FA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$MessageSend$Focus$EnableH_prologParent$DecrementEnabledFileInterlockedNameOpenTextlstrcpynlstrlen
                                                                                • String ID: out.prn$prn
                                                                                • API String ID: 4074345921-3109735852
                                                                                • Opcode ID: 217e41d7b4a0f0f8ff833f30aea21e32e770fae48fbd6f24470a5813633546c1
                                                                                • Instruction ID: 9964e7ce650b6d10914b26df8945c595f7ba066c3462c9269aa011685f3d1402
                                                                                • Opcode Fuzzy Hash: 217e41d7b4a0f0f8ff833f30aea21e32e770fae48fbd6f24470a5813633546c1
                                                                                • Instruction Fuzzy Hash: F021A171248380ABD330EB14C846BEBB7A4AB94724F108B1EB5A9572D2DBBC6404CB57
                                                                                Function 00406C80 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(0047BEA8,000000B1,00000000,000000FF), ref: 00406D0D
                                                                                • SendMessageA.USER32(0047BEA8,000000B7,00000000,00000000), ref: 00406D1C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: %l@$\VO
                                                                                • API String ID: 3850602802-1733826371
                                                                                • Opcode ID: d7f4fef47b7ecbaf1cf0dab5b80bb7c5b9d5a700707f2a7d9350ab3522e49080
                                                                                • Instruction ID: a928e3903d56a6bd3af210cd617a22176563732abff316a28aa37eefe7c1b5f6
                                                                                • Opcode Fuzzy Hash: d7f4fef47b7ecbaf1cf0dab5b80bb7c5b9d5a700707f2a7d9350ab3522e49080
                                                                                • Instruction Fuzzy Hash: 4F119371204701ABD324EF29DC51FABB7E5EB84720F508B1EF56A933D0CB78A4048B65
                                                                                Function 0046FE29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53stringwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 0046FE2E
                                                                                • SendMessageA.USER32(?,0000110C,00000000,?), ref: 0046FE7A
                                                                                • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0046FE83
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologMessageSendlstrlen
                                                                                • String ID: \VO
                                                                                • API String ID: 3754839358-2422581269
                                                                                • Opcode ID: 91a11773fc6a589897db5c3940ec81170e171f8b4ae18ea5e6641c886d7a6c48
                                                                                • Instruction ID: aa7417d04c5bb0dd70febfd6f743ceb632d8cbf3717b1c36d74b77db4533dbce
                                                                                • Opcode Fuzzy Hash: 91a11773fc6a589897db5c3940ec81170e171f8b4ae18ea5e6641c886d7a6c48
                                                                                • Instruction Fuzzy Hash: A4113072D00118EFCB04DF95D885BDDBBB4EF44324F10812AF5199B1A1D7749A44CB58
                                                                                Function 00469508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,004629ED,?,?,?,00000000,00000001), ref: 0046952B
                                                                                • LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,004629ED,?,?,?,00000000,00000001), ref: 00469541
                                                                                • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,004629ED,?,?,?,00000000,00000001), ref: 00469574
                                                                                • LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,004629ED,?,?,?,00000000,00000001), ref: 004695DC
                                                                                • WideCharToMultiByte.KERNEL32(?,00000220,?,00000000,?,?,00000000,00000000,?,00000000,?,?,004629ED,?), ref: 00469601
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: String$ByteCharMultiWide
                                                                                • String ID: )F
                                                                                • API String ID: 352835431-1070133202
                                                                                • Opcode ID: 5a379001549b9402f075e7a3d2bc38e1d20ce8d8fe187049eae39cf203c63ff9
                                                                                • Instruction ID: c3b7cbf578a4f100360659d34f1e19fbe27f187d68e4f7fdfd8ff7bdbe5fa8f8
                                                                                • Opcode Fuzzy Hash: 5a379001549b9402f075e7a3d2bc38e1d20ce8d8fe187049eae39cf203c63ff9
                                                                                • Instruction Fuzzy Hash: 85113D32900209ABDF228F94CD449DEBFB5FF48750F148569F91162160D3768E61DB55
                                                                                Function 0046E519 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InterlockedIncrement.KERNEL32(0051AD08), ref: 0046E525
                                                                                • InterlockedDecrement.KERNEL32(0051AD08), ref: 0046E53C
                                                                                  • Part of subcall function 004684F4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00463528,00000009,00000000,00000000,00000001,00465C7F,00000001,00000074,?,?,00000000,00000001), ref: 00468531
                                                                                  • Part of subcall function 004684F4: EnterCriticalSection.KERNEL32(?,?,?,00463528,00000009,00000000,00000000,00000001,00465C7F,00000001,00000074,?,?,00000000,00000001), ref: 0046854C
                                                                                • InterlockedDecrement.KERNEL32(0051AD08), ref: 0046E56C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$CriticalDecrementSection$EnterIncrementInitialize
                                                                                • String ID: m4F
                                                                                • API String ID: 2038102319-2614859315
                                                                                • Opcode ID: f56620686cb74791d32d136e5c9c0ea4dd61fd69cfa01a7405b7a061497df9e0
                                                                                • Instruction ID: 3699e6e87b21ed1b02a0105f7244611f8b864d5753c5fcb6df8eb5d1e4a38bae
                                                                                • Opcode Fuzzy Hash: f56620686cb74791d32d136e5c9c0ea4dd61fd69cfa01a7405b7a061497df9e0
                                                                                • Instruction Fuzzy Hash: 72F0903610121ABBDB116FD6AC4199E3798EF84369F04443EF50505151EBB55A12869B
                                                                                Function 00476F7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GlobalAlloc.KERNEL32(00000040,#G,00000000,00476F78,?,00000000,?,?,0047230A,?,00000000,?,?), ref: 00476F8F
                                                                                • GlobalLock.KERNEL32(00000000), ref: 00476F9D
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00476FD1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Global$AllocLockUnlock
                                                                                • String ID: #G
                                                                                • API String ID: 3972497268-2764570518
                                                                                • Opcode ID: 4bbaee8282b53a55c25b47964a58e88ebc5eb5f714c14162cc3b65c16e9c4791
                                                                                • Instruction ID: 4f12b76569c5b7c9d9e87cfae53657f30aa98190fe3b42406f3c855fa17f429b
                                                                                • Opcode Fuzzy Hash: 4bbaee8282b53a55c25b47964a58e88ebc5eb5f714c14162cc3b65c16e9c4791
                                                                                • Instruction Fuzzy Hash: 6FF0F072900602ABD7609F64EC09E6AB7F4FF44300B15CC2EF989C3250E374E899CB15
                                                                                Function 00478871 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowLongA.USER32(00000000,000000F0), ref: 00478882
                                                                                • GetClassNameA.USER32(00000000,?,0000000A), ref: 0047889D
                                                                                • lstrcmpiA.KERNEL32(?,combobox), ref: 004788AC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ClassLongNameWindowlstrcmpi
                                                                                • String ID: combobox
                                                                                • API String ID: 2054663530-2240613097
                                                                                • Opcode ID: 65d7b5280bd3e05bba082ad91dae0627e4f963beb53e2cc18d0260e067e873e5
                                                                                • Instruction ID: 8033ba15f317681660d57f643f54750901f3a10673394120bddeac407067b3f6
                                                                                • Opcode Fuzzy Hash: 65d7b5280bd3e05bba082ad91dae0627e4f963beb53e2cc18d0260e067e873e5
                                                                                • Instruction Fuzzy Hash: 67E0E5325A0209BFCF40AF60CC4DA9D3B68EB00301F10853AB52AE5090DB34D149CB59
                                                                                Function 0046606F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(KERNEL32,00460EB0), ref: 00466074
                                                                                • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00466084
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                • API String ID: 1646373207-3105848591
                                                                                • Opcode ID: 62f5441584a6ec97a87fca1abe4d7c580f0184ee8fc490a446cc450bea8109f4
                                                                                • Instruction ID: 5b093410ee1e546a08ae72aee597d809d8e0cdbfafd2c430d4278d0458039995
                                                                                • Opcode Fuzzy Hash: 62f5441584a6ec97a87fca1abe4d7c580f0184ee8fc490a446cc450bea8109f4
                                                                                • Instruction Fuzzy Hash: F8C0123035030253D9606BB19C19F1E21481B08B43F55083BA50DD4680EE68D500552E
                                                                                Function 0046380C Relevance: 6.5, APIs: 5, Instructions: 278COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b87f7e8928570c3293da41dcbe6def17c3e950dbd5f9b8b2005c870bd6766bed
                                                                                • Instruction ID: 0676d73c22ecd4589984e604746bb89cf3a6c3e5c538f517ea729b90bcbc0727
                                                                                • Opcode Fuzzy Hash: b87f7e8928570c3293da41dcbe6def17c3e950dbd5f9b8b2005c870bd6766bed
                                                                                • Instruction Fuzzy Hash: 499148B1D01294AACF21EF699C409DE7AB4EF44765F20021BF815B6291F7398E40DB6F
                                                                                Function 0046A27C Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • HeapAlloc.KERNEL32(00000000,00002020,?,?,?,?,0046A748,00000000,00000010,00000000,00000009,00000009,?,004626F1,00000010,00000000), ref: 0046A29D
                                                                                • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,0046A748,00000000,00000010,00000000,00000009,00000009,?,004626F1,00000010,00000000), ref: 0046A2C1
                                                                                • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,0046A748,00000000,00000010,00000000,00000009,00000009,?,004626F1,00000010,00000000), ref: 0046A2DB
                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0046A748,00000000,00000010,00000000,00000009,00000009,?,004626F1,00000010,00000000,?), ref: 0046A39C
                                                                                • HeapFree.KERNEL32(00000000,00000000,?,?,0046A748,00000000,00000010,00000000,00000009,00000009,?,004626F1,00000010,00000000,?,00000000), ref: 0046A3B3
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocVirtual$FreeHeap
                                                                                • String ID:
                                                                                • API String ID: 714016831-0
                                                                                • Opcode ID: 7e8d4c338e1b366931e40148bb8043b3ebc89daed19ccdca063ff6b3309603ff
                                                                                • Instruction ID: 7ceeeae8b3e58c0154ad3d75aad2ef64ad170c482578115f1cde978b5a8352b8
                                                                                • Opcode Fuzzy Hash: 7e8d4c338e1b366931e40148bb8043b3ebc89daed19ccdca063ff6b3309603ff
                                                                                • Instruction Fuzzy Hash: 2B313171640B059FD3218F24EC41B26B7E0EB44B54F10453AEA55A73D0FB7CA8A4DB4E
                                                                                Function 004233C0 Relevance: 6.2, APIs: 4, Instructions: 246COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • midiStreamOpen.WINMM(?,?,00000001,00423A00,?,00030000,?,?,?,00000000), ref: 004233EB
                                                                                • midiStreamProperty.WINMM ref: 004234D2
                                                                                • midiOutPrepareHeader.WINMM(?,?,00000040,00000001,?,?,?,?,00000000), ref: 00423620
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: midi$Stream$HeaderOpenPrepareProperty
                                                                                • String ID:
                                                                                • API String ID: 2061886437-0
                                                                                • Opcode ID: ecf68b696309d1b47c3f35a980cdfd015be0179d47e3eac7d4237405563466f3
                                                                                • Instruction ID: a582029f944ea6128e4d10f4eec4402f384e375b00ab52bf8cea3919812bd4bf
                                                                                • Opcode Fuzzy Hash: ecf68b696309d1b47c3f35a980cdfd015be0179d47e3eac7d4237405563466f3
                                                                                • Instruction Fuzzy Hash: 33A169717006158FC724DF28D890BAAB7F6FB84304F50496EE686C7751EB39BA19CB40
                                                                                Function 00412180 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 224COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf
                                                                                • String ID: "$%d, %d$\VO
                                                                                • API String ID: 2111968516-319548089
                                                                                • Opcode ID: f9a7cb01872229ae49c7a890a942e29391193e7de113a631739161dbbecd496d
                                                                                • Instruction ID: 513d0e2aa3f346817cd27db529ceec45dc4da4c335aeeaaad5056cfa31f87b4b
                                                                                • Opcode Fuzzy Hash: f9a7cb01872229ae49c7a890a942e29391193e7de113a631739161dbbecd496d
                                                                                • Instruction Fuzzy Hash: CB81D9719002199BCB14DF69DD82FEF7374EF10308F14402EF919A7292EB78A919C7A9
                                                                                Function 0041C8F0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 191COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • wsprintfA.USER32 ref: 0041CACB
                                                                                  • Part of subcall function 004756B5: SetWindowTextA.USER32(?,0041B73A), ref: 004756C3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: TextWindowwsprintf
                                                                                • String ID: \VO$`\A
                                                                                • API String ID: 430165219-155183320
                                                                                • Opcode ID: 0ef0a240ac92bdd1ccc4889044a0bc1a825b0350aebd2410d0a1a91bba02dc73
                                                                                • Instruction ID: 07356d6b615637c58fd5b144c06da639d8ec314fd2e8eae916a5833a0ba899af
                                                                                • Opcode Fuzzy Hash: 0ef0a240ac92bdd1ccc4889044a0bc1a825b0350aebd2410d0a1a91bba02dc73
                                                                                • Instruction Fuzzy Hash: 2F61B2B12447469BC320DF65CCC5BABB7E4EF84304F40892EF49687381EA78E8458B5A
                                                                                Function 004206C0 Relevance: 6.2, APIs: 4, Instructions: 181COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 17f632bb61a9b5feacdf21c6a8a4123768eb6083e9f7abbfe41e645991422f81
                                                                                • Instruction ID: b4df958ac809872bb030ff44051441e487975955f30236b5e99e8648f8d58b86
                                                                                • Opcode Fuzzy Hash: 17f632bb61a9b5feacdf21c6a8a4123768eb6083e9f7abbfe41e645991422f81
                                                                                • Instruction Fuzzy Hash: 0D516EB25083409FC310EF69D88596BFBE8FB89714F408A2EF19983351D779E908CB56
                                                                                Function 0046BAF8 Relevance: 6.2, APIs: 4, Instructions: 170fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ReadFile.KERNEL32(000001D0,000001D0,00000000,000001D0,00000000,00000000,00000000,00000000), ref: 0046BB72
                                                                                • GetLastError.KERNEL32 ref: 0046BB7C
                                                                                • ReadFile.KERNEL32(?,?,00000001,000001D0,00000000), ref: 0046BC42
                                                                                • GetLastError.KERNEL32 ref: 0046BC4C
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorFileLastRead
                                                                                • String ID:
                                                                                • API String ID: 1948546556-0
                                                                                • Opcode ID: 65e1275e7023957f001490c308896dbd9e6354e03a9f7a838130bf1730a4fafd
                                                                                • Instruction ID: e75d8994f562e5d97d515d0f536fb6fe5a3dde498461481afc77ca18c4f0861f
                                                                                • Opcode Fuzzy Hash: 65e1275e7023957f001490c308896dbd9e6354e03a9f7a838130bf1730a4fafd
                                                                                • Instruction Fuzzy Hash: 7851B434A043859FDF218F58C8847AA7BB0EF12314F14449FE851DB355EB789A86CB9B
                                                                                Function 004214D0 Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClientRect.USER32(?,?), ref: 004214E2
                                                                                • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0042153A
                                                                                • __ftol.LIBCMT ref: 00421625
                                                                                • __ftol.LIBCMT ref: 00421632
                                                                                  • Part of subcall function 00477678: SelectObject.GDI32(?,00000000), ref: 0047769A
                                                                                  • Part of subcall function 00477678: SelectObject.GDI32(?,?), ref: 004776B0
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ObjectSelect__ftol$ClientRect
                                                                                • String ID:
                                                                                • API String ID: 2514210182-0
                                                                                • Opcode ID: d38e878cf15cda7bed9e86f97a52f56a69d67952749aaec9eaffa6bc4f1ffebc
                                                                                • Instruction ID: 5ad6f27c5c6b5d277297b5eee5dd38b48e6e594233cc91bb2dac66054f3481d6
                                                                                • Opcode Fuzzy Hash: d38e878cf15cda7bed9e86f97a52f56a69d67952749aaec9eaffa6bc4f1ffebc
                                                                                • Instruction Fuzzy Hash: 5751BEB17083129FC714CF28D88096FBBE9FBD8740F544A2EF88A93261D634DC458B96
                                                                                Function 00435440 Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DeleteObject$Release
                                                                                • String ID:
                                                                                • API String ID: 2600533906-0
                                                                                • Opcode ID: 3bfa6719a29b074762b195ff6625576447e868de6e7dbf8d84426252f671c3bf
                                                                                • Instruction ID: 6e884ec8670b6891ae9016c6985c8f60ce9af6a9cef92a81c5fe89db1a059d05
                                                                                • Opcode Fuzzy Hash: 3bfa6719a29b074762b195ff6625576447e868de6e7dbf8d84426252f671c3bf
                                                                                • Instruction Fuzzy Hash: 0C517CB1A002049BDF14DF28C880B9A3BE6BF58314F48857AED4DCF31AD7789949CB65
                                                                                Function 004102F0 Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindow.USER32(00000001), ref: 00410364
                                                                                • GetParent.USER32(00000001), ref: 004103B4
                                                                                • IsWindow.USER32(?), ref: 004103D4
                                                                                • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 0041044F
                                                                                  • Part of subcall function 00475787: ShowWindow.USER32(?,?,0040E3DC,00000000), ref: 00475795
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$ParentShow
                                                                                • String ID:
                                                                                • API String ID: 2052805569-0
                                                                                • Opcode ID: 9096024bdc0929ab85291fb461ca96aa74f0a1840d651731b93a1f2d45d61d7c
                                                                                • Instruction ID: df28f4d30dc7654d47b5946cfbc528e90af3ca4c435bebaf93127f8d07e722d4
                                                                                • Opcode Fuzzy Hash: 9096024bdc0929ab85291fb461ca96aa74f0a1840d651731b93a1f2d45d61d7c
                                                                                • Instruction Fuzzy Hash: E641B471600301ABC320DE61DC81FEB73A8AF84755F04452EFE599B381D7B8E8898BA5
                                                                                Function 0046B908 Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,?,?), ref: 0046B9CF
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileWrite
                                                                                • String ID:
                                                                                • API String ID: 3934441357-0
                                                                                • Opcode ID: ce8a87ea8cf3446ac1ca91bdb64e265e206ef6949272315ba5fa4ab1fae782bb
                                                                                • Instruction ID: 77592d1b29af7321ee1a7018eed3b6cd1b6b81bd231168f216050ec6e608b44a
                                                                                • Opcode Fuzzy Hash: ce8a87ea8cf3446ac1ca91bdb64e265e206ef6949272315ba5fa4ab1fae782bb
                                                                                • Instruction Fuzzy Hash: F551B671900248EFCB11CFA8C884AAE7BB4FF41350F1485AAE915DB251E734DE84CB9A
                                                                                Function 004415F0 Relevance: 6.1, APIs: 4, Instructions: 100windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateSolidBrush.GDI32(?), ref: 0044167A
                                                                                • SendMessageA.USER32(?,00000030,00000000,00000000), ref: 004416BE
                                                                                • SendMessageA.USER32(?,000000B1,?,000000FF), ref: 004416F4
                                                                                • SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 00441703
                                                                                  • Part of subcall function 004756B5: SetWindowTextA.USER32(?,0041B73A), ref: 004756C3
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend$BrushCreateSolidTextWindow
                                                                                • String ID:
                                                                                • API String ID: 3501373727-0
                                                                                • Opcode ID: 0cadf077a1faec3d132d784520d4ff896d100c4fa04386011f8b64846b1e290a
                                                                                • Instruction ID: a2454982319da30a903411cd454487a92ba701b631de0fcfbd6a78aa6767c7c4
                                                                                • Opcode Fuzzy Hash: 0cadf077a1faec3d132d784520d4ff896d100c4fa04386011f8b64846b1e290a
                                                                                • Instruction Fuzzy Hash: 6D3148B4204700AFD324DF19C855B2AFBF5EB88B14F108A1EF5598B791DBB9E840CB59
                                                                                Function 00438680 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf
                                                                                • String ID: ,!O$0%x$ O8
                                                                                • API String ID: 2111968516-898697609
                                                                                • Opcode ID: c41a35089f416c6284a470480a56969be2d8c41dd07900f163f283ddb541e515
                                                                                • Instruction ID: fd089378e4da1e448a884d101375c2c560dac89b8c86bab1326439607aaa80bb
                                                                                • Opcode Fuzzy Hash: c41a35089f416c6284a470480a56969be2d8c41dd07900f163f283ddb541e515
                                                                                • Instruction Fuzzy Hash: E721F6722147045AD718D624CC52B3FB7D9EBC8350F54052FF692872C0CFA8D909C39A
                                                                                Function 00478E4F Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00478FC7: GetParent.USER32(?), ref: 00478FFA
                                                                                  • Part of subcall function 00478FC7: GetLastActivePopup.USER32(?), ref: 00479009
                                                                                  • Part of subcall function 00478FC7: IsWindowEnabled.USER32(?), ref: 0047901E
                                                                                  • Part of subcall function 00478FC7: EnableWindow.USER32(?,00000000), ref: 00479031
                                                                                • SendMessageA.USER32(?,00000376,00000000,00000000), ref: 00478E85
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 00478EF3
                                                                                • MessageBoxA.USER32(00000000,?,?,00000000), ref: 00478F01
                                                                                • EnableWindow.USER32(00000000,00000001), ref: 00478F1D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
                                                                                • String ID:
                                                                                • API String ID: 1958756768-0
                                                                                • Opcode ID: 18b0c601841b15aa6d059dd182d20111807b22c304eabbd33af568a5ec3fe3cb
                                                                                • Instruction ID: f59c3b812d087f8928edbd99408dddc3e9858eaf2b351d33065fb75313e81677
                                                                                • Opcode Fuzzy Hash: 18b0c601841b15aa6d059dd182d20111807b22c304eabbd33af568a5ec3fe3cb
                                                                                • Instruction Fuzzy Hash: AC219172A40108AFDB209F94CC89AEFB7B9FB44714F14843EE608E3250DB759E448BA5
                                                                                Function 004759A0 Relevance: 6.1, APIs: 4, Instructions: 85stringtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrcpynA.KERNEL32(0047599C,?,00000104,?,?,?,?,?,?,?,0047598A,?), ref: 004759CA
                                                                                • GetFileTime.KERNEL32(00000000,0047598A,?,?,?,?,?,?,?,?,?,0047598A,?), ref: 004759EB
                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0047598A,?), ref: 004759FA
                                                                                • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,0047598A,?), ref: 00475A1B
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$AttributesSizeTimelstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 1499663573-0
                                                                                • Opcode ID: b80975c059b9540ccbec6622bca63b71363b83ccb7dbc5ee5f85d425cc7d6a31
                                                                                • Instruction ID: ad75c2e8f81d007a769454aa23ac8f21c60a34c194146d1856053fc2a6a6f42c
                                                                                • Opcode Fuzzy Hash: b80975c059b9540ccbec6622bca63b71363b83ccb7dbc5ee5f85d425cc7d6a31
                                                                                • Instruction Fuzzy Hash: E9314172510609AFDB10DF64DC85AEBB7B8BB14310F108A3EF156DB590E7B4A988CB94
                                                                                Function 0040C050 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMessagePos.USER32 ref: 0040C0E8
                                                                                • ScreenToClient.USER32(?,?), ref: 0040C10A
                                                                                • ChildWindowFromPointEx.USER32(?,?,?,00000005), ref: 0040C120
                                                                                • GetFocus.USER32 ref: 0040C12B
                                                                                  • Part of subcall function 004757F0: SetFocus.USER32(?,00411BE3), ref: 004757FA
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Focus$ChildClientFromMessagePointScreenWindow
                                                                                • String ID:
                                                                                • API String ID: 3117237277-0
                                                                                • Opcode ID: 5cf6b0a2dee58f06aa9dfcd361a6029909ef63f3001a5ce2e3c53427cae5a828
                                                                                • Instruction ID: 0412fe23eb9ff6f3894f01fa5feb2a14950c3f8df382ee4e7b2f7e8fb51cefdd
                                                                                • Opcode Fuzzy Hash: 5cf6b0a2dee58f06aa9dfcd361a6029909ef63f3001a5ce2e3c53427cae5a828
                                                                                • Instruction Fuzzy Hash: 8821B671300601ABD324DB24CC41FAFB3A9BF84708F04853EF9459B382DB38E9568B99
                                                                                Function 00460D55 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetVersion.KERNEL32 ref: 00460D7B
                                                                                  • Part of subcall function 00465E36: HeapCreate.KERNELBASE(00000000,00001000,00000000,00460DB3,00000001), ref: 00465E47
                                                                                  • Part of subcall function 00465E36: HeapDestroy.KERNEL32 ref: 00465E86
                                                                                • GetCommandLineA.KERNEL32 ref: 00460DDB
                                                                                • GetStartupInfoA.KERNEL32(?), ref: 00460E06
                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00460E29
                                                                                  • Part of subcall function 00460E82: ExitProcess.KERNEL32 ref: 00460E9F
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                                • String ID:
                                                                                • API String ID: 2057626494-0
                                                                                • Opcode ID: 8b82d0610ab3d1d62a4eb495c3add024158ee8c7d1c3baac9356294e9090662c
                                                                                • Instruction ID: c30c858c66c05b3aa47d89c326ba0563f42dd63914086c04cf86f7e32328d0f1
                                                                                • Opcode Fuzzy Hash: 8b82d0610ab3d1d62a4eb495c3add024158ee8c7d1c3baac9356294e9090662c
                                                                                • Instruction Fuzzy Hash: B521D3B1801714AFDB04BFB6DC4AAAE7BA8EF04714F10452FF5019B291FB398900DB5A
                                                                                Function 0040C960 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • StartPage.GDI32(?), ref: 0040C9A5
                                                                                • EndPage.GDI32(?), ref: 0040C9CB
                                                                                  • Part of subcall function 00419360: wsprintfA.USER32 ref: 0041936F
                                                                                  • Part of subcall function 004756B5: SetWindowTextA.USER32(?,0041B73A), ref: 004756C3
                                                                                • UpdateWindow.USER32(?), ref: 0040CA1A
                                                                                • EndPage.GDI32(?), ref: 0040CA32
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Page$Window$StartTextUpdatewsprintf
                                                                                • String ID:
                                                                                • API String ID: 104827578-0
                                                                                • Opcode ID: 87e4e5f4961113ed1ea1be3bfdbb4525f84b341f547e229db3b0bbc5ed9f7b2c
                                                                                • Instruction ID: 79726203bd45200697234c43343935048a14d825f4a6b0b9a0ff78cb4a58cf9e
                                                                                • Opcode Fuzzy Hash: 87e4e5f4961113ed1ea1be3bfdbb4525f84b341f547e229db3b0bbc5ed9f7b2c
                                                                                • Instruction Fuzzy Hash: 542150B1701B009BC264DB3AD884BDBB7E9EFC5705F10892EE5AFD6250E634A4458F58
                                                                                Function 004072F0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Parent$RectWindow
                                                                                • String ID:
                                                                                • API String ID: 2276825053-0
                                                                                • Opcode ID: 3fa578b7b7422879f321c53aa662269ed82e927f9905939ca72f009f82550d62
                                                                                • Instruction ID: 1640b5b8d2b67f05f64fadbf04484e01987407c17399ab641615a293fca3cba6
                                                                                • Opcode Fuzzy Hash: 3fa578b7b7422879f321c53aa662269ed82e927f9905939ca72f009f82550d62
                                                                                • Instruction Fuzzy Hash: 05118CB5A043056BE724EF74C885DAFB7A9EF84200F00892EBC1693341EA78FC098775
                                                                                Function 0046DBED Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 0046DC1C
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000), ref: 0046DC2F
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0046DC7B
                                                                                • CompareStringW.KERNEL32(00450EB6,00000000,00000000,00000000,?,00000000,?,00000000), ref: 0046DC93
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$CompareString
                                                                                • String ID:
                                                                                • API String ID: 376665442-0
                                                                                • Opcode ID: 6655f26ffc0afa8016740ca33ddbdfb13ffcd7e0004bf3d731a60cd1137e0aeb
                                                                                • Instruction ID: e19b81a4661682579d86ddb5aab8191b703a949f75eb5e89d80fb10038dfc18f
                                                                                • Opcode Fuzzy Hash: 6655f26ffc0afa8016740ca33ddbdfb13ffcd7e0004bf3d731a60cd1137e0aeb
                                                                                • Instruction Fuzzy Hash: 77213832D0020DEBCF218F94CD859DEBFB6FF49350F10452AFA1566260D3769921DBA5
                                                                                Function 0040E890 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTopWindow.USER32(?), ref: 0040E89D
                                                                                  • Part of subcall function 0040E6D0: IsChild.USER32(?,?), ref: 0040E74D
                                                                                  • Part of subcall function 0040E6D0: GetParent.USER32(?), ref: 0040E767
                                                                                • SendMessageA.USER32(00000000,000000F0,00000000,00000000), ref: 0040E8F6
                                                                                • SendMessageA.USER32(00000000,000000F1,00000000,00000000), ref: 0040E906
                                                                                • GetWindow.USER32(00000000,00000002), ref: 0040E90B
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSendWindow$ChildParent
                                                                                • String ID:
                                                                                • API String ID: 1043810220-0
                                                                                • Opcode ID: 983395c40ee5904a749397dd9b96e0fd0da87e834a3b7062d3655be47a7811a2
                                                                                • Instruction ID: 8c81c6e933d9ccce6afc50cee7c653784b8d28663058d5f999d6f23c9f8fc6d1
                                                                                • Opcode Fuzzy Hash: 983395c40ee5904a749397dd9b96e0fd0da87e834a3b7062d3655be47a7811a2
                                                                                • Instruction Fuzzy Hash: 4E019E723807167AE275562A9C46F6B62585B81B10F510A36BA00FA2D1DEA8EC20866D
                                                                                Function 004324A0 Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetParent.USER32(?), ref: 004324BB
                                                                                • SendMessageA.USER32(?,000083EB,?,00000000), ref: 004324E5
                                                                                • SendMessageA.USER32(?,000083EC,?,00000000), ref: 004324F9
                                                                                • SendMessageA.USER32(?,000083E9,?,00000000), ref: 0043251C
                                                                                  • Part of subcall function 004756DC: GetDlgCtrlID.USER32(?), ref: 004756E6
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend$CtrlParent
                                                                                • String ID:
                                                                                • API String ID: 1383977212-0
                                                                                • Opcode ID: e66c7ec9dde963a66869cf152d950e225302d2855a0dd4059c7b650e4c17af0b
                                                                                • Instruction ID: 42702cda0262ca79ca67ff3d12cf12f48b302c672bc58014daa9b4585956dd87
                                                                                • Opcode Fuzzy Hash: e66c7ec9dde963a66869cf152d950e225302d2855a0dd4059c7b650e4c17af0b
                                                                                • Instruction Fuzzy Hash: E20188B13007083BD51077658D81D6FB26CAB88B04F40851EF50597281CEA8FD0147BC
                                                                                Function 00471AB3 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00471AE7
                                                                                • GetCurrentProcess.KERNEL32(?,00000000), ref: 00471AED
                                                                                • DuplicateHandle.KERNEL32(00000000), ref: 00471AF0
                                                                                • GetLastError.KERNEL32(00000000), ref: 00471B0A
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CurrentProcess$DuplicateErrorHandleLast
                                                                                • String ID:
                                                                                • API String ID: 3907606552-0
                                                                                • Opcode ID: 8482aed165c2512234180adf1d9e1824d894ad1c444c2f423e361db84f3c2d5e
                                                                                • Instruction ID: bd135dfb245c9f2fee2e2f103d1c79ab93f8f9c0d894a6a10ea5be06ec73e52a
                                                                                • Opcode Fuzzy Hash: 8482aed165c2512234180adf1d9e1824d894ad1c444c2f423e361db84f3c2d5e
                                                                                • Instruction Fuzzy Hash: 990184357002006BDB50ABAE8C4AF9E7B9DEF44760F14856AF509DB2A1EAB4EC008764
                                                                                Function 00470384 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WindowFromPoint.USER32(?,?), ref: 0047039C
                                                                                • GetParent.USER32(00000000), ref: 004703A9
                                                                                • ScreenToClient.USER32(00000000,?), ref: 004703CA
                                                                                • IsWindowEnabled.USER32(00000000), ref: 004703E3
                                                                                  • Part of subcall function 00478871: GetWindowLongA.USER32(00000000,000000F0), ref: 00478882
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$ClientEnabledFromLongParentPointScreen
                                                                                • String ID:
                                                                                • API String ID: 2204725058-0
                                                                                • Opcode ID: 2b4dbf0198ff72efe3d83c6f3a83321ee806fa80e5152eaf4b6216687f7dbd4a
                                                                                • Instruction ID: 52fe14495a31689bff503b43dcac7968387efcd0b9720fcffea49beac97ce636
                                                                                • Opcode Fuzzy Hash: 2b4dbf0198ff72efe3d83c6f3a83321ee806fa80e5152eaf4b6216687f7dbd4a
                                                                                • Instruction Fuzzy Hash: 56017C36642511AB87029B9A9C089EFBAB9EF85740B14802EFD09D3310EB74DD059B69
                                                                                Function 00474451 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,?), ref: 0047445C
                                                                                • GetTopWindow.USER32(00000000), ref: 0047446F
                                                                                • GetTopWindow.USER32(?), ref: 0047449F
                                                                                • GetWindow.USER32(00000000,00000002), ref: 004744BA
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$Item
                                                                                • String ID:
                                                                                • API String ID: 369458955-0
                                                                                • Opcode ID: 4548389d28d0fb70943f76c8780c95065629889c73cdd6319ff12b2ef7d2f55a
                                                                                • Instruction ID: c0a4cfd677d84b0655d1c44915a15aec2048695e7ca91855f0a1d236a5efff8b
                                                                                • Opcode Fuzzy Hash: 4548389d28d0fb70943f76c8780c95065629889c73cdd6319ff12b2ef7d2f55a
                                                                                • Instruction Fuzzy Hash: CC018F32541625BBCF226F618D00FFF3A69AF90364F04C226FD0C91251E739C915BAAD
                                                                                Function 004744CA Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTopWindow.USER32(?), ref: 004744D8
                                                                                • SendMessageA.USER32(00000000,?,?,?), ref: 0047450E
                                                                                • GetTopWindow.USER32(00000000), ref: 0047451B
                                                                                • GetWindow.USER32(00000000,00000002), ref: 00474539
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$MessageSend
                                                                                • String ID:
                                                                                • API String ID: 1496643700-0
                                                                                • Opcode ID: 8855169cd8072d5f56e44a838d3c039c5efcf382cf6d9b5b77292cacc174c188
                                                                                • Instruction ID: 8f497f38b8482791a6a28812452cd29023edc090027fa11635bd4495850bfb06
                                                                                • Opcode Fuzzy Hash: 8855169cd8072d5f56e44a838d3c039c5efcf382cf6d9b5b77292cacc174c188
                                                                                • Instruction Fuzzy Hash: 99010C32000119BBCF226F959D05EEF3B2AAF85354F058416FA0865161C73ACA71EFA9
                                                                                Function 00475F82 Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Item$EnableFocusMenuNextParent
                                                                                • String ID:
                                                                                • API String ID: 988757621-0
                                                                                • Opcode ID: ce871369303230fc7cdab178edfaa5d037a7ef1c1b9f91077420df2d0c3135a8
                                                                                • Instruction ID: 87022672fba6de406e3175f553ef5a9fe0c26924d9e7d00376cd3d8517cd016d
                                                                                • Opcode Fuzzy Hash: ce871369303230fc7cdab178edfaa5d037a7ef1c1b9f91077420df2d0c3135a8
                                                                                • Instruction Fuzzy Hash: F1115231110A019FDB789F21DC59F9AB7B5EF40715F11C92EF14B865A0CBB8E845CB58
                                                                                Function 004791F3 Relevance: 6.0, APIs: 4, Instructions: 44registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 0047921F
                                                                                • RegCloseKey.ADVAPI32(00000000,?,?), ref: 00479228
                                                                                • wsprintfA.USER32 ref: 00479244
                                                                                • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0047925D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ClosePrivateProfileStringValueWritewsprintf
                                                                                • String ID:
                                                                                • API String ID: 1902064621-0
                                                                                • Opcode ID: c4d8bf82f58f8833f1965e24aaff97e072c2ef1820d8e692d4e49412f3ecfa81
                                                                                • Instruction ID: 9ceb464a6a5bb35563c00da6d720deff35c4a9548139d8f9f74bebe399d9c080
                                                                                • Opcode Fuzzy Hash: c4d8bf82f58f8833f1965e24aaff97e072c2ef1820d8e692d4e49412f3ecfa81
                                                                                • Instruction Fuzzy Hash: 56018672410219BBCB116F64EC09FEF3BACFF04714F04882AFA1596161D7B5D915DB98
                                                                                Function 00474BB9 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetObjectA.GDI32(00000000,0000000C,?), ref: 00474BF7
                                                                                • SetBkColor.GDI32(00000000,00000000), ref: 00474C03
                                                                                • GetSysColor.USER32(00000008), ref: 00474C13
                                                                                • SetTextColor.GDI32(00000000,?), ref: 00474C1D
                                                                                  • Part of subcall function 00478871: GetWindowLongA.USER32(00000000,000000F0), ref: 00478882
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Color$LongObjectTextWindow
                                                                                • String ID:
                                                                                • API String ID: 2871169696-0
                                                                                • Opcode ID: 50a8c659d7a6823ae04f94d4646602daa5b3685b4a7a206130cb2c72dcf0e80e
                                                                                • Instruction ID: 756e2f98890d83afba20cb9758447a97f16ab56049c579dda22b3612742da2c0
                                                                                • Opcode Fuzzy Hash: 50a8c659d7a6823ae04f94d4646602daa5b3685b4a7a206130cb2c72dcf0e80e
                                                                                • Instruction Fuzzy Hash: 6D017C31001209AFDB225F64DE49BFF3A65AB40316F128A26FA0AD42A0C7B5D894D769
                                                                                Function 0046EDEE Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InterlockedExchange.KERNEL32(0051AC58,00000001), ref: 0046EE16
                                                                                • InitializeCriticalSection.KERNEL32(0051AC40,?,?,?,0046EDAD), ref: 0046EE21
                                                                                • EnterCriticalSection.KERNEL32(0051AC40,?,?,?,0046EDAD), ref: 0046EE60
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterExchangeInitializeInterlocked
                                                                                • String ID:
                                                                                • API String ID: 3643093385-0
                                                                                • Opcode ID: 6884976e643e8122cc832b638958d1d73e22e03ff453906b5b15007c89357df5
                                                                                • Instruction ID: 0dffa976f6b5ba8de2f82bd675e1eaa5de4c01dc12e2b9a9f7fdf71ad4f9ce22
                                                                                • Opcode Fuzzy Hash: 6884976e643e8122cc832b638958d1d73e22e03ff453906b5b15007c89357df5
                                                                                • Instruction Fuzzy Hash: B8F0C835781381DBDA234B5AEC8D6973BD4F7907A9F200427F101D4150FBAA4C89A79F
                                                                                Function 00433E80 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf
                                                                                • String ID: %d.%d$gfff
                                                                                • API String ID: 2111968516-3773932281
                                                                                • Opcode ID: a1de9d865fe79d4c02ddc5f4c5e3c8721c89c887a8060d0c6f8def602031cd89
                                                                                • Instruction ID: d3c1ff37403c6978e9661676bc3a2ab459ffae3ff073e7712c1d4bfddc6d5f40
                                                                                • Opcode Fuzzy Hash: a1de9d865fe79d4c02ddc5f4c5e3c8721c89c887a8060d0c6f8def602031cd89
                                                                                • Instruction Fuzzy Hash: 11F059727042002BCB8CD92EBC19E2B2A9AABEA711F05C83FF545C7390C5208C15837A
                                                                                Function 00477CAA Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowExtEx.GDI32(?,?), ref: 00477CBB
                                                                                • GetViewportExtEx.GDI32(?,?), ref: 00477CC8
                                                                                • MulDiv.KERNEL32(?,00000000,00000000), ref: 00477CED
                                                                                • MulDiv.KERNEL32(?,00000000,00000000), ref: 00477D08
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ViewportWindow
                                                                                • String ID:
                                                                                • API String ID: 1589084482-0
                                                                                • Opcode ID: dfc845a6968910fac889864f4fcc9f57ebc784cfaa4d233433e403db94c4de0e
                                                                                • Instruction ID: 767944e921de6bc67fe0cc032fde4d9675f5cd915e55196d6398597cd8d26b68
                                                                                • Opcode Fuzzy Hash: dfc845a6968910fac889864f4fcc9f57ebc784cfaa4d233433e403db94c4de0e
                                                                                • Instruction Fuzzy Hash: 6DF01976800108BFEF117B61ED0ACAEBBBDEF86310710483EF95192171EB71AD549B58
                                                                                Function 00477D13 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowExtEx.GDI32(?,?), ref: 00477D24
                                                                                • GetViewportExtEx.GDI32(?,?), ref: 00477D31
                                                                                • MulDiv.KERNEL32(?,00000000,00000000), ref: 00477D56
                                                                                • MulDiv.KERNEL32(?,00000000,00000000), ref: 00477D71
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ViewportWindow
                                                                                • String ID:
                                                                                • API String ID: 1589084482-0
                                                                                • Opcode ID: 28a3238d5cd6bb27234265935c6a76c60f9ca0fb3652fde87231de1beddd0028
                                                                                • Instruction ID: 48812a4b2ee311ed5035f98de22daf18ed24feb1be4866cb34c85e970939ef63
                                                                                • Opcode Fuzzy Hash: 28a3238d5cd6bb27234265935c6a76c60f9ca0fb3652fde87231de1beddd0028
                                                                                • Instruction Fuzzy Hash: 81F01976800108BFEF117B61ED0ACAEBBBDEF86310710483EF95192171EB71AD549B58
                                                                                Function 00431E10 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClientRect.USER32(?), ref: 00431E1F
                                                                                • PtInRect.USER32(?,?,?), ref: 00431E34
                                                                                  • Part of subcall function 004757AE: IsWindowEnabled.USER32(?), ref: 004757B8
                                                                                  • Part of subcall function 00432250: UpdateWindow.USER32(00000002), ref: 0043226D
                                                                                • GetCapture.USER32 ref: 00431E5C
                                                                                • SetCapture.USER32(00000002), ref: 00431E67
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CaptureRectWindow$ClientEnabledUpdate
                                                                                • String ID:
                                                                                • API String ID: 2789096292-0
                                                                                • Opcode ID: 2f1c6b9db328b2fa4602e8743c9fd717a6b1e388f9f9ad59fc05a77ec411fe08
                                                                                • Instruction ID: 667ce2fa9f6084ff7c9be60e82219702445662034a606e764793f0253b7cdfcb
                                                                                • Opcode Fuzzy Hash: 2f1c6b9db328b2fa4602e8743c9fd717a6b1e388f9f9ad59fc05a77ec411fe08
                                                                                • Instruction Fuzzy Hash: B2F04F316106109BD3A4AB64DD459AF73ACAF98B00F04491EF946C3261DB79E9058BA9
                                                                                Function 00409FB0 Relevance: 6.0, APIs: 4, Instructions: 35registrystringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,00000000,00000000), ref: 00409FCA
                                                                                • RegQueryValueA.ADVAPI32 ref: 00409FEE
                                                                                • lstrcpyA.KERNEL32(?,00000000), ref: 0040A001
                                                                                • RegCloseKey.ADVAPI32(?), ref: 0040A00C
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValuelstrcpy
                                                                                • String ID:
                                                                                • API String ID: 534897748-0
                                                                                • Opcode ID: aafda49c741e81cac164e1e17a97ce70e0591c0bf146f6feeefe49c244375635
                                                                                • Instruction ID: 3170904fe6f49d3d1a7073d8894fe0a4a880854ab71c55b704a3587bed78fbf4
                                                                                • Opcode Fuzzy Hash: aafda49c741e81cac164e1e17a97ce70e0591c0bf146f6feeefe49c244375635
                                                                                • Instruction Fuzzy Hash: 29F03C75114305BFD320DB10D888FAFBBA8FF85754F00892CB98882250D6B0D848DBA2
                                                                                Function 0047895B Relevance: 6.0, APIs: 4, Instructions: 29stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrlenA.KERNEL32(?), ref: 00478968
                                                                                • GetWindowTextA.USER32(?,?,00000100), ref: 00478984
                                                                                • lstrcmpA.KERNEL32(?,?), ref: 00478998
                                                                                • SetWindowTextA.USER32(?,?), ref: 004789A8
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: TextWindow$lstrcmplstrlen
                                                                                • String ID:
                                                                                • API String ID: 330964273-0
                                                                                • Opcode ID: 9371f575e3185c2a01eaebe746d973e8c7ac01405ba2f2f1ce45b1672bc2b9f6
                                                                                • Instruction ID: 109b06fdf509409025cc74f2ed0fffdb65eaad036146733461488f20b948b61e
                                                                                • Opcode Fuzzy Hash: 9371f575e3185c2a01eaebe746d973e8c7ac01405ba2f2f1ce45b1672bc2b9f6
                                                                                • Instruction Fuzzy Hash: 00F0FE71400018AFDF626F64DC08ADE7B69FB08390F048566F949E1120DB75CE94DB9A
                                                                                Function 004139F0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetStockObject.GDI32(00000011), ref: 00413B5D
                                                                                • GetObjectA.GDI32(00000000), ref: 00413B64
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Object$Stock
                                                                                • String ID: `\A
                                                                                • API String ID: 1996491644-2688774508
                                                                                • Opcode ID: 5f12d60e5a78c731cb25799951413c524574fdbd7c0cf3d00ceb85e9aedd3aa1
                                                                                • Instruction ID: bdc55b84dc5b9fd4334a8a381d692ba1c2ee4bb36110122106d84c3e310d8724
                                                                                • Opcode Fuzzy Hash: 5f12d60e5a78c731cb25799951413c524574fdbd7c0cf3d00ceb85e9aedd3aa1
                                                                                • Instruction Fuzzy Hash: 0181BC76604B41CFC314DF28C451AABB7E1FFC8710F14892EE89687391D738A856CB96
                                                                                Function 00460F22 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __startOneArgErrorHandling.LIBCMT ref: 00460FB2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorHandling__start
                                                                                • String ID: pow
                                                                                • API String ID: 3213639722-2276729525
                                                                                • Opcode ID: 212a8d856db3816d4406613bec46858bc7cac588b53281c0afa33b79318dbcd7
                                                                                • Instruction ID: 4171650f2f4a1df392c0191d016635fe788e80799915e171b59a20db18761cc3
                                                                                • Opcode Fuzzy Hash: 212a8d856db3816d4406613bec46858bc7cac588b53281c0afa33b79318dbcd7
                                                                                • Instruction Fuzzy Hash: A2516C70A1810296CB257B59C90137B2B94AF51710F25CD6BE885823A8FB7D8CD9DA8F
                                                                                Function 0042D5A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CopyRect.USER32(?,00000000), ref: 0042D700
                                                                                • IsRectEmpty.USER32(?), ref: 0042D70B
                                                                                  • Part of subcall function 0042A7E0: CreateFontIndirectA.GDI32(?), ref: 0042A90C
                                                                                  • Part of subcall function 004415F0: CreateSolidBrush.GDI32(?), ref: 0044167A
                                                                                  • Part of subcall function 004415F0: SendMessageA.USER32(?,00000030,00000000,00000000), ref: 004416BE
                                                                                  • Part of subcall function 004415F0: SendMessageA.USER32(?,000000B1,?,000000FF), ref: 004416F4
                                                                                  • Part of subcall function 004415F0: SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 00441703
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend$CreateRect$BrushCopyEmptyFontIndirectSolid
                                                                                • String ID: \VO
                                                                                • API String ID: 4199050670-2422581269
                                                                                • Opcode ID: 6dab97d4302485b34c6f8bc53f07f910a48471d08e5a981b761e610bdc16ca13
                                                                                • Instruction ID: f60b160a0031a8d90ff9a1883a2e007c51fb549e5d7e9841b8fb99ddac668227
                                                                                • Opcode Fuzzy Hash: 6dab97d4302485b34c6f8bc53f07f910a48471d08e5a981b761e610bdc16ca13
                                                                                • Instruction Fuzzy Hash: 6B6192703047519FD324EB25D851B6BB7E9BFD8708F40491EF68683381EBB8E9058B66
                                                                                Function 0046503B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 143COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004684F4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00463528,00000009,00000000,00000000,00000001,00465C7F,00000001,00000074,?,?,00000000,00000001), ref: 00468531
                                                                                  • Part of subcall function 004684F4: EnterCriticalSection.KERNEL32(?,?,?,00463528,00000009,00000000,00000000,00000001,00465C7F,00000001,00000074,?,?,00000000,00000001), ref: 0046854C
                                                                                • GetCPInfo.KERNEL32(00000000,?,?,00000000,00000000,?,?,00460DF5), ref: 0046508C
                                                                                  • Part of subcall function 00468555: LeaveCriticalSection.KERNEL32(?,00462712,00000009,004626FE,00000000,?,00000000,00000000,00000000), ref: 00468562
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterInfoInitializeLeave
                                                                                • String ID: iO$0hO
                                                                                • API String ID: 1866836854-3891599295
                                                                                • Opcode ID: 20ec889f60c6588de9c1acbfd770fb54cca6662076d46a1b784432f58641761b
                                                                                • Instruction ID: c923f71560c60628e42dc69d23c8bd4a305f714fa178b3e21f6f5aded566bfd6
                                                                                • Opcode Fuzzy Hash: 20ec889f60c6588de9c1acbfd770fb54cca6662076d46a1b784432f58641761b
                                                                                • Instruction Fuzzy Hash: 3C419971E05A416FEB12DB34DC843FA7BE59B06314F24416FE5448B292E67D484ACB8B
                                                                                Function 0046528E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCPInfo.KERNEL32(?,00000000), ref: 004652A2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Info
                                                                                • String ID: $
                                                                                • API String ID: 1807457897-3032137957
                                                                                • Opcode ID: 2f7578ec8ba704814a79f59183dfc3503d2b168d2c41fe87c96eb161924d6da2
                                                                                • Instruction ID: 0a2f1113c68eb85f9f9d5d409bdba79164b72a1d777722a96e4f14e97266964f
                                                                                • Opcode Fuzzy Hash: 2f7578ec8ba704814a79f59183dfc3503d2b168d2c41fe87c96eb161924d6da2
                                                                                • Instruction Fuzzy Hash: 33417C310016581FDB128715CD89BFB3FAD9B06B44F1404E6D989C7253E2A94D89DB67
                                                                                Function 0040B470 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 0040B4B1
                                                                                • SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 0040B50F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: `\A
                                                                                • API String ID: 3850602802-2688774508
                                                                                • Opcode ID: 4e846563cc9ca5d12bae5b3308cfacd542bc504a885ac32ce95212060d7f3b2a
                                                                                • Instruction ID: e00b1aa3a64edda0ebb46017065ed98eddd27ce3ede2d2440ea283d4d7ab7dbb
                                                                                • Opcode Fuzzy Hash: 4e846563cc9ca5d12bae5b3308cfacd542bc504a885ac32ce95212060d7f3b2a
                                                                                • Instruction Fuzzy Hash: 52419471108740AFC324DF26C885A6FB7E9FFC4718F104A2EF596932C1DB7899058B9A
                                                                                Function 0040B600 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 0040B641
                                                                                • SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 0040B69F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: `\A
                                                                                • API String ID: 3850602802-2688774508
                                                                                • Opcode ID: 999a7325f5b2202d19a6f1e4d80770e4fd245f9c6dcdfe12e67e022980dd02ca
                                                                                • Instruction ID: 670346674399c2dba06cb107e91aa43bf2a79514d6dd298aac24d7008dfbb52c
                                                                                • Opcode Fuzzy Hash: 999a7325f5b2202d19a6f1e4d80770e4fd245f9c6dcdfe12e67e022980dd02ca
                                                                                • Instruction Fuzzy Hash: 6441A4711087409FC324DF26C881A6FB7E8FFC4714F104A2EF596932D1DBB959058B9A
                                                                                Function 0040B790 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 0040B7D1
                                                                                • SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 0040B82F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: `\A
                                                                                • API String ID: 3850602802-2688774508
                                                                                • Opcode ID: 528b8edeaac06324250395da88c0f5e8818727179b3296a6b050354174c50f93
                                                                                • Instruction ID: 94b3e494e637acf84bc60025dc1123acbd2ba271fce7492f076d4c06f6b82f31
                                                                                • Opcode Fuzzy Hash: 528b8edeaac06324250395da88c0f5e8818727179b3296a6b050354174c50f93
                                                                                • Instruction Fuzzy Hash: 2B41A4711087419FC324EF26C881A6FB7E8FFC4714F104A2EF5A5932D1DB7899058B9A
                                                                                Function 004097E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0046FE29: __EH_prolog.LIBCMT ref: 0046FE2E
                                                                                  • Part of subcall function 0046FE29: SendMessageA.USER32(?,0000110C,00000000,?), ref: 0046FE7A
                                                                                  • Part of subcall function 0046FE29: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0046FE83
                                                                                • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004098CC
                                                                                • SendMessageA.USER32(?,0000110A,00000003,?), ref: 00409838
                                                                                  • Part of subcall function 00471416: InterlockedDecrement.KERNEL32(-000000F4), ref: 0047142A
                                                                                  • Part of subcall function 0047165F: __EH_prolog.LIBCMT ref: 00471664
                                                                                  • Part of subcall function 004715F9: __EH_prolog.LIBCMT ref: 004715FE
                                                                                  • Part of subcall function 00471503: InterlockedIncrement.KERNEL32(-000000F4), ref: 00471546
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologMessageSend$Interlocked$DecrementIncrementlstrlen
                                                                                • String ID: \VO
                                                                                • API String ID: 1725347760-2422581269
                                                                                • Opcode ID: 9bd6de667f26d1c9229c37c5ec5daf46954d820851f1164340cb64e6e1a28f54
                                                                                • Instruction ID: d92ebe92da421d1659773463777622f1bd55c83284f9b5bfad8cdcf729940095
                                                                                • Opcode Fuzzy Hash: 9bd6de667f26d1c9229c37c5ec5daf46954d820851f1164340cb64e6e1a28f54
                                                                                • Instruction Fuzzy Hash: 15418471508381AFC305DFA9C841A9FFBE8BF95714F004A1EF59593291DBB8D908CB66
                                                                                Function 0040E470 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00472D76: __EH_prolog.LIBCMT ref: 00472D7B
                                                                                • DestroyAcceleratorTable.USER32(?), ref: 0040E50B
                                                                                • DestroyIcon.USER32(00000000,?,?,?,005058D4,00000000), ref: 0040E535
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Destroy$AcceleratorH_prologIconTable
                                                                                • String ID: `\A
                                                                                • API String ID: 1516885281-2688774508
                                                                                • Opcode ID: 1d255b87550d275914525e1ebbd7717defa34fb0d57925d59eda7907f298e8ee
                                                                                • Instruction ID: 775ca92308f85a9897729adc8a612dc58421f5097e80363fbe6efaacf30fa4bf
                                                                                • Opcode Fuzzy Hash: 1d255b87550d275914525e1ebbd7717defa34fb0d57925d59eda7907f298e8ee
                                                                                • Instruction Fuzzy Hash: 6831D2B15007159FC310DF6AD880A2AB7E4FF44318F540E2FE445A7382E7789D148BD9
                                                                                Function 0046F5C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologlstrcpyn
                                                                                • String ID: \VO
                                                                                • API String ID: 588646068-2422581269
                                                                                • Opcode ID: 610392fe81648a739ac0f500bb9f82921e67f1f9246371256dba4bc4eae5396a
                                                                                • Instruction ID: 3216c4e49dc1d6730ad5413f679635b2654f560e746e2ebf90df1299a80aa2c5
                                                                                • Opcode Fuzzy Hash: 610392fe81648a739ac0f500bb9f82921e67f1f9246371256dba4bc4eae5396a
                                                                                • Instruction Fuzzy Hash: BE316DB0501741DFD721DF39D881B9BBBE0FB44308F10882FE59A97252D778A808CB5A
                                                                                Function 00473A18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0047BAF5: LeaveCriticalSection.KERNEL32(?,0047AE75,00000010,00000010,?,00000000,?,?,?,0047A845,0047A8A8,0047A12E,0047A84B,00476126,004773C2), ref: 0047BB0D
                                                                                  • Part of subcall function 00463C1C: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00460E35,00000000), ref: 00463C4A
                                                                                • wsprintfA.USER32 ref: 00473A5E
                                                                                • wsprintfA.USER32 ref: 00473A7A
                                                                                • GetClassInfoA.USER32(?,-00000058,?), ref: 00473A89
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf$ClassCriticalExceptionInfoLeaveRaiseSection
                                                                                • String ID: Afx:%x:%x
                                                                                • API String ID: 2529146597-2071556601
                                                                                • Opcode ID: 8435226cc81b8374e767ea666604062d6414ae829c95b5186c90fffca76efa7f
                                                                                • Instruction ID: 66cfd75e97f2c83f3c14577e4fed8a20604b3ead41e0dd9909153bb70698c104
                                                                                • Opcode Fuzzy Hash: 8435226cc81b8374e767ea666604062d6414ae829c95b5186c90fffca76efa7f
                                                                                • Instruction Fuzzy Hash: 76110671D00209AFDB10EFA9D8819DF7BB8EF48355B00842FF909E3241D7749A519BA9
                                                                                Function 0040AFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32 ref: 0040B044
                                                                                • SendMessageA.USER32(0047C228,00000186,00000000,00000000), ref: 0040B057
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: \VO
                                                                                • API String ID: 3850602802-2422581269
                                                                                • Opcode ID: 7bcb56382f203f92bb360be545e10e7055090fe8f97e19c9ce728d13c29ff950
                                                                                • Instruction ID: 53abe11ae815a783adcc920e622eadbd3d623cbe3b9eed68381b5b20fed00556
                                                                                • Opcode Fuzzy Hash: 7bcb56382f203f92bb360be545e10e7055090fe8f97e19c9ce728d13c29ff950
                                                                                • Instruction Fuzzy Hash: 6D115E71204640ABD224DF28E851BABB7E4EB84720F504B1EF17A933D0CB78A8058B65
                                                                                Function 004322E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSysColor.USER32(0000000F), ref: 0043233C
                                                                                  • Part of subcall function 00432A40: IsWindow.USER32(?), ref: 00432A4E
                                                                                  • Part of subcall function 00432A40: RedrawWindow.USER32(?,00000000,00000000,00000105,?,00432A3D,?,004324B7,?), ref: 00432A65
                                                                                • GetSysColor.USER32(00000012), ref: 00432348
                                                                                  • Part of subcall function 00432A70: IsWindow.USER32(?), ref: 00432A7E
                                                                                  • Part of subcall function 00432A70: RedrawWindow.USER32(?,00000000,00000000,00000105,?,00432A30,?,004324B7,?), ref: 00432A95
                                                                                  • Part of subcall function 00471553: lstrlenA.KERNEL32(?,?,?,0046F6D5,?), ref: 00471564
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$ColorRedraw$lstrlen
                                                                                • String ID: \VO
                                                                                • API String ID: 3716826877-2422581269
                                                                                • Opcode ID: 5bac33302833689086c9732894bea0c770fd6dbd45deb2b0cb1a90a7da780490
                                                                                • Instruction ID: 96e4ca6a6c563cbd8586b94625db8b8ee2a911f4fa33c4d52d56096a5dfb5eb0
                                                                                • Opcode Fuzzy Hash: 5bac33302833689086c9732894bea0c770fd6dbd45deb2b0cb1a90a7da780490
                                                                                • Instruction Fuzzy Hash: E011C2B0200745AFD714DF1AC802B6AB7E4FB44B08F00492FF18A97791CBBDA9048B59
                                                                                Function 00478759 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 0047875E
                                                                                • lstrcpynA.KERNEL32(00000000,?,?,?,00000000,?,?), ref: 004787C8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologlstrcpyn
                                                                                • String ID: \VO
                                                                                • API String ID: 588646068-2422581269
                                                                                • Opcode ID: c45771153aea5767220ff410ab9e14e2e82083b097921eaa62c7a59e7a9bd3fe
                                                                                • Instruction ID: a71a9644b934ac998ae84b6d1acc41753ad6a3535250134cc98731f36c80fdbe
                                                                                • Opcode Fuzzy Hash: c45771153aea5767220ff410ab9e14e2e82083b097921eaa62c7a59e7a9bd3fe
                                                                                • Instruction Fuzzy Hash: 7211883250020AEFCB14DF89CC84BEEBBB4BF04314F00852EF12A972A0CB789A14CB14
                                                                                Function 004767D9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 004767DE
                                                                                • lstrcpynA.KERNEL32(00000000,?,?,?,00000000,?,?), ref: 00476848
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologlstrcpyn
                                                                                • String ID: \VO
                                                                                • API String ID: 588646068-2422581269
                                                                                • Opcode ID: 69f5c3184915103ebacf0fefc9ee30b69007a780203c0d253ae3728a41223605
                                                                                • Instruction ID: 52c0564d3985a7a4b101afd551ad902e1b0b262ee106b384b965da0abe797fcb
                                                                                • Opcode Fuzzy Hash: 69f5c3184915103ebacf0fefc9ee30b69007a780203c0d253ae3728a41223605
                                                                                • Instruction Fuzzy Hash: AC11763251064AEBCB14DF99CC44BEEBBB5BF04318F00852EF12A972A0CB789A14CB14
                                                                                Function 004787F9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 004787FE
                                                                                • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 0047886A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologMessageSend
                                                                                • String ID: \VO
                                                                                • API String ID: 2337391251-2422581269
                                                                                • Opcode ID: 1b6fe466023abccb91115c7c38ef1b4dcdebbeb98d77aed33a2ee9b9b5dbb811
                                                                                • Instruction ID: 6657fc21c891a47c1ff0d5aeba75ee27a6975583502373d44de87d931a3cd47a
                                                                                • Opcode Fuzzy Hash: 1b6fe466023abccb91115c7c38ef1b4dcdebbeb98d77aed33a2ee9b9b5dbb811
                                                                                • Instruction Fuzzy Hash: A501F2B1900214AFDF10DF58C806BDEBBA0EF04714F20C55EF558AB2E1D7B89A02CB89
                                                                                Function 0047165F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 00471664
                                                                                • lstrlenA.KERNEL32(00000000,00000000,?,?,0041281C,?,?,004EBC78,?,?,?,?,?,?,00000000,005057D0), ref: 0047168B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologlstrlen
                                                                                • String ID: \VO
                                                                                • API String ID: 2133942097-2422581269
                                                                                • Opcode ID: ca935107dea9d81d13e7dabbb16eb301f7598db24a061b1e39ba39513095cfc9
                                                                                • Instruction ID: d542f7bc7d66c7a23b97b677f53885a3f42558b3377023c90f75084e7cdcbfaf
                                                                                • Opcode Fuzzy Hash: ca935107dea9d81d13e7dabbb16eb301f7598db24a061b1e39ba39513095cfc9
                                                                                • Instruction Fuzzy Hash: EF011A71920259EFCB05DF54CC45BEEB778FB08318F10852EF416A62A0D7B4AA14CB58
                                                                                Function 004716D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 004716D8
                                                                                • lstrlenA.KERNEL32(?,?,?,?,00438AAF,?,004F2190,?), ref: 004716FF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologlstrlen
                                                                                • String ID: \VO
                                                                                • API String ID: 2133942097-2422581269
                                                                                • Opcode ID: bf6d714f83b775fa9c125178d7f17d48e2b3ee8d4544db423a2ba86cf05d867c
                                                                                • Instruction ID: 1bff26d244639c0aea2ccb8df215bdb040bf91bda4575c97149ea729dd75a3a2
                                                                                • Opcode Fuzzy Hash: bf6d714f83b775fa9c125178d7f17d48e2b3ee8d4544db423a2ba86cf05d867c
                                                                                • Instruction Fuzzy Hash: FF010C71910219EBCB05DF98C845FEE7774FB08318F10855EF416A6260D7B89A04CB54
                                                                                Function 00477AA5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SelectClipRgn.GDI32(?,00000000), ref: 00477AC7
                                                                                • SelectClipRgn.GDI32(?,?), ref: 00477ADD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ClipSelect
                                                                                • String ID: `\A
                                                                                • API String ID: 4060119947-2688774508
                                                                                • Opcode ID: 06b51b8d0a35539911a1174ba0e1fdbdffd80f8d1274dfde723953f1898d98e6
                                                                                • Instruction ID: faa437b46a610acd50fec76494086bcc72a138a544a13e83142fd3d386856dad
                                                                                • Opcode Fuzzy Hash: 06b51b8d0a35539911a1174ba0e1fdbdffd80f8d1274dfde723953f1898d98e6
                                                                                • Instruction Fuzzy Hash: 4AF03077204612AB66209E59C9C0CBBA79CDF94310359C82AEE09D7214C664ED048B74
                                                                                Function 0046CABD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,004629ED,?), ref: 0046CADB
                                                                                • GetStringTypeW.KERNEL32(?,?,00000000,)F,?,?,?,?,?,?,004629ED,?), ref: 0046CAED
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiStringTypeWide
                                                                                • String ID: )F
                                                                                • API String ID: 3139900361-1070133202
                                                                                • Opcode ID: 17efe85d00afa005840a53ffc94325bd6acabfb6b8851e07d3c38c67bca12130
                                                                                • Instruction ID: 2dc489e4fd365e7d0f0a1b92d6689d4fdbeb19f46853b5a05488ceb34da3ce60
                                                                                • Opcode Fuzzy Hash: 17efe85d00afa005840a53ffc94325bd6acabfb6b8851e07d3c38c67bca12130
                                                                                • Instruction Fuzzy Hash: E0F0FE36501159AFCF21CFC0DC85AEEBF72FB04360F108529FA2172160D77589659B95
                                                                                Function 004199D0 Relevance: 5.1, APIs: 4, Instructions: 97COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf
                                                                                • String ID:
                                                                                • API String ID: 2111968516-0
                                                                                • Opcode ID: e53baf390d40236d1657f97d7af99b5c604668d13809a90b2874d4a2185e978b
                                                                                • Instruction ID: b0b98e4cac10e2ece0834141785c99a3cc00aaf60ef2c678ae699edb56292cf9
                                                                                • Opcode Fuzzy Hash: e53baf390d40236d1657f97d7af99b5c604668d13809a90b2874d4a2185e978b
                                                                                • Instruction Fuzzy Hash: 5531B2B15043405BC204DB65D8959AFB7E8EFC4758F400A2EF94693281EB78DE08CBAA
                                                                                Function 0047ACB6 Relevance: 5.1, APIs: 4, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 0047AD13
                                                                                • LeaveCriticalSection.KERNEL32(?,?), ref: 0047AD23
                                                                                • LocalFree.KERNEL32(?), ref: 0047AD2C
                                                                                • TlsSetValue.KERNEL32(?,00000000), ref: 0047AD42
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterFreeLeaveLocalValue
                                                                                • String ID:
                                                                                • API String ID: 2949335588-0
                                                                                • Opcode ID: fd644273c7f307a0ffcf8950e43e428b1a7ccda5098349a4df74bd8a50e62122
                                                                                • Instruction ID: 6c8010bf763666ba20fb44a718955ca79741aca7d31deec4cd7fc69a8fa1f5b5
                                                                                • Opcode Fuzzy Hash: fd644273c7f307a0ffcf8950e43e428b1a7ccda5098349a4df74bd8a50e62122
                                                                                • Instruction Fuzzy Hash: 6B21AC31200200EFC7258F48D888BAE77B5FF85712F10886EE5068B2A1C7B9FC51CB5A
                                                                                Function 00469DDA Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00469BA2,00000000,00000000,00000000,00462693,00000000,00000000,?,00000000,00000000,00000000), ref: 00469E02
                                                                                • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00469BA2,00000000,00000000,00000000,00462693,00000000,00000000,?,00000000,00000000,00000000), ref: 00469E36
                                                                                • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00469E50
                                                                                • HeapFree.KERNEL32(00000000,?), ref: 00469E67
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocHeap$FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 3499195154-0
                                                                                • Opcode ID: a0f725b136460bb36cf323bef517479620b52ee3df21469fa7b09c70f0ba89c9
                                                                                • Instruction ID: 764ef8006c5f468928c8b252b055112af992b906e46ba553757168ce6ae6ab6f
                                                                                • Opcode Fuzzy Hash: a0f725b136460bb36cf323bef517479620b52ee3df21469fa7b09c70f0ba89c9
                                                                                • Instruction Fuzzy Hash: 0E115E712016009FC7228F18FC45D667BB5FBA4321710891FF551C65B0E3719C4ADF16
                                                                                Function 0047BA85 Relevance: 5.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(0051A640,?,00000000,?,?,0047AE5E,00000010,?,00000000,?,?,?,0047A845,0047A8A8,0047A12E,0047A84B), ref: 0047BAC0
                                                                                • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,0047AE5E,00000010,?,00000000,?,?,?,0047A845,0047A8A8,0047A12E,0047A84B), ref: 0047BAD2
                                                                                • LeaveCriticalSection.KERNEL32(0051A640,?,00000000,?,?,0047AE5E,00000010,?,00000000,?,?,?,0047A845,0047A8A8,0047A12E,0047A84B), ref: 0047BADB
                                                                                • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,0047AE5E,00000010,?,00000000,?,?,?,0047A845,0047A8A8,0047A12E,0047A84B,00476126), ref: 0047BAED
                                                                                  • Part of subcall function 0047B9F2: GetVersion.KERNEL32(?,0047BA95,?,0047AE5E,00000010,?,00000000,?,?,?,0047A845,0047A8A8,0047A12E,0047A84B,00476126,004773C2), ref: 0047BA05
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$Enter$InitializeLeaveVersion
                                                                                • String ID:
                                                                                • API String ID: 1193629340-0
                                                                                • Opcode ID: 01aa9aade19124b3cea00fe5ff2cd721bf68ccfd6847a0ba3cf67cc248036e82
                                                                                • Instruction ID: 1ff7931f1da3bfeb8180eec7f2ef4101beebb9c49667dfdd82b79d79a43bd364
                                                                                • Opcode Fuzzy Hash: 01aa9aade19124b3cea00fe5ff2cd721bf68ccfd6847a0ba3cf67cc248036e82
                                                                                • Instruction Fuzzy Hash: 9CF0A47140221BDFCB12EF65EC84AD6B36DFB60315B00843BE21542111D778E98ADA99
                                                                                Function 004684CB Relevance: 5.0, APIs: 4, Instructions: 12COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InitializeCriticalSection.KERNEL32(?,00465BF9,?,00460DC5), ref: 004684D8
                                                                                • InitializeCriticalSection.KERNEL32(?,00465BF9,?,00460DC5), ref: 004684E0
                                                                                • InitializeCriticalSection.KERNEL32(?,00465BF9,?,00460DC5), ref: 004684E8
                                                                                • InitializeCriticalSection.KERNEL32(?,00465BF9,?,00460DC5), ref: 004684F0
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2282187478.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2282169464.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282239605.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282303119.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282322642.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282343686.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282375734.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282398025.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2282535425.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_#U63d0#U53d6Proxy (1).jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalInitializeSection
                                                                                • String ID:
                                                                                • API String ID: 32694325-0
                                                                                • Opcode ID: 7f7fc44961e1164cfba578e1359e8f998d32cbb71831ebf8b5216d9e8ead6d5a
                                                                                • Instruction ID: 4f3d349e70bd1fc45f64f6966d9e4b6a4ef094c0ceeb66d6a0274661e593c40b
                                                                                • Opcode Fuzzy Hash: 7f7fc44961e1164cfba578e1359e8f998d32cbb71831ebf8b5216d9e8ead6d5a
                                                                                • Instruction Fuzzy Hash: B3C00231A100389ACE516B55FE058593F26EB442603020072A10451034CA711C74DFD8

                                                                                Execution Graph

                                                                                Execution Coverage:1.7%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:285
                                                                                Total number of Limit Nodes:16
                                                                                execution_graph 23935 40ab70 GetVersion 23966 40d906 HeapCreate 23935->23966 23937 40abce 23938 40abd3 23937->23938 23939 40abdb 23937->23939 24058 40ac9d 8 API calls _rand 23938->24058 23978 40d60c 23939->23978 23942 40abe0 23944 40abe4 23942->23944 23945 40abec 23942->23945 24059 40ac9d 8 API calls _rand 23944->24059 23988 40f314 23945->23988 23949 40abf6 GetCommandLineA 24002 40f1e2 23949->24002 23953 40ac10 24034 40eedc 23953->24034 23955 40ac15 23956 40ac1a GetStartupInfoA 23955->23956 24047 40ee84 23956->24047 23958 40ac2c GetModuleHandleA 24051 401786 23958->24051 23963 40ac59 24061 40ed0c 36 API calls _rand 23963->24061 23965 40ac6a 23967 40d926 23966->23967 23968 40d95c 23966->23968 24062 40d7be 57 API calls 23967->24062 23968->23937 23970 40d92b 23971 40d942 23970->23971 23972 40d935 23970->23972 23974 40d95f 23971->23974 24064 40e4aa 5 API calls _rand 23971->24064 24063 40d963 HeapAlloc 23972->24063 23974->23937 23975 40d93f 23975->23974 23977 40d950 HeapDestroy 23975->23977 23977->23968 24065 40eb77 InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection 23978->24065 23980 40d612 TlsAlloc 23981 40d622 23980->23981 23982 40d65c 23980->23982 24066 40c81d 30 API calls 2 library calls 23981->24066 23982->23942 23984 40d62b 23984->23982 23985 40d633 TlsSetValue 23984->23985 23985->23982 23986 40d644 _rand 23985->23986 23987 40d64a GetCurrentThreadId 23986->23987 23987->23942 24067 40a43c 23988->24067 23991 40f335 GetStartupInfoA 23994 40f454 23991->23994 24001 40f383 23991->24001 23995 40f47f GetStdHandle 23994->23995 23996 40f4bf SetHandleCount 23994->23996 23995->23994 23997 40f48d GetFileType 23995->23997 23996->23949 23997->23994 23998 40a43c ctype 29 API calls 23998->24001 23999 40f3fa 23999->23994 24000 40f41c GetFileType 23999->24000 24000->23999 24001->23994 24001->23998 24001->23999 24003 40f230 24002->24003 24004 40f1fd GetEnvironmentStringsW 24002->24004 24006 40f205 24003->24006 24007 40f221 24003->24007 24005 40f211 GetEnvironmentStrings 24004->24005 24004->24006 24005->24007 24008 40ac06 24005->24008 24009 40f249 WideCharToMultiByte 24006->24009 24010 40f23d GetEnvironmentStringsW 24006->24010 24007->24008 24012 40f2c3 GetEnvironmentStrings 24007->24012 24013 40f2cf 24007->24013 24025 40ef95 24008->24025 24014 40f27d 24009->24014 24015 40f2af FreeEnvironmentStringsW 24009->24015 24010->24008 24010->24009 24012->24008 24012->24013 24016 40a43c ctype 29 API calls 24013->24016 24017 40a43c ctype 29 API calls 24014->24017 24015->24008 24022 40f2ea ctype 24016->24022 24018 40f283 24017->24018 24018->24015 24019 40f28c WideCharToMultiByte 24018->24019 24021 40f29d 24019->24021 24024 40f2a6 24019->24024 24020 40f300 FreeEnvironmentStringsA 24020->24008 24023 40a353 ctype 29 API calls 24021->24023 24022->24020 24023->24024 24024->24015 24026 40efa7 24025->24026 24027 40efac GetModuleFileNameA 24025->24027 24135 40c082 48 API calls 24026->24135 24029 40efcf 24027->24029 24030 40a43c ctype 29 API calls 24029->24030 24031 40eff0 24030->24031 24032 40f000 24031->24032 24136 40ac78 7 API calls _rand 24031->24136 24032->23953 24035 40eee9 24034->24035 24037 40eeee _rand 24034->24037 24137 40c082 48 API calls 24035->24137 24038 40a43c ctype 29 API calls 24037->24038 24039 40ef1b 24038->24039 24046 40ef2f _rand 24039->24046 24138 40ac78 7 API calls _rand 24039->24138 24040 40ef72 24042 40a353 ctype 29 API calls 24040->24042 24043 40ef7e 24042->24043 24043->23955 24044 40a43c ctype 29 API calls 24044->24046 24046->24040 24046->24044 24139 40ac78 7 API calls _rand 24046->24139 24048 40ee8d 24047->24048 24050 40ee92 24047->24050 24140 40c082 48 API calls 24048->24140 24050->23958 24141 4017f1 24051->24141 24055 40179c 24175 40182a FreeLibrary FreeLibrary FreeLibrary 24055->24175 24057 4017a4 24060 40ae0d 32 API calls 24057->24060 24060->23963 24061->23965 24062->23970 24063->23975 24064->23975 24065->23980 24066->23984 24071 40a44e 24067->24071 24070 40ac78 7 API calls _rand 24070->23991 24072 40a44b 24071->24072 24074 40a455 _rand 24071->24074 24072->23991 24072->24070 24074->24072 24075 40a47a 24074->24075 24076 40a4a7 24075->24076 24080 40a4ea 24075->24080 24081 40a4d5 24076->24081 24093 40eba0 24076->24093 24078 40a4bd 24108 40dcff 5 API calls _rand 24078->24108 24079 40a559 RtlAllocateHeap 24084 40a4dc 24079->24084 24080->24081 24082 40a50c 24080->24082 24081->24079 24081->24084 24085 40eba0 ctype 28 API calls 24082->24085 24084->24074 24087 40a513 24085->24087 24086 40a4c8 24109 40a4e1 LeaveCriticalSection ctype 24086->24109 24110 40e7a2 6 API calls _rand 24087->24110 24090 40a526 24111 40a540 LeaveCriticalSection ctype 24090->24111 24092 40a533 24092->24081 24092->24084 24094 40ebf6 EnterCriticalSection 24093->24094 24095 40ebb8 24093->24095 24094->24078 24096 40a43c ctype 27 API calls 24095->24096 24097 40ebc0 24096->24097 24098 40ebce 24097->24098 24112 40ac78 7 API calls _rand 24097->24112 24100 40eba0 ctype 27 API calls 24098->24100 24101 40ebd6 24100->24101 24102 40ebe7 24101->24102 24103 40ebdd InitializeCriticalSection 24101->24103 24113 40a353 24102->24113 24105 40ebec 24103->24105 24130 40ec01 LeaveCriticalSection 24105->24130 24107 40ebf4 24107->24094 24108->24086 24109->24081 24110->24090 24111->24092 24112->24098 24114 40a381 24113->24114 24115 40a42d 24113->24115 24116 40a3c6 24114->24116 24117 40a38b 24114->24117 24115->24105 24118 40a3b7 24116->24118 24121 40eba0 ctype 28 API calls 24116->24121 24119 40eba0 ctype 28 API calls 24117->24119 24118->24115 24120 40a41f HeapFree 24118->24120 24122 40a392 ctype 24119->24122 24120->24115 24124 40a3d2 ctype 24121->24124 24123 40a3ac 24122->24123 24131 40d9d6 VirtualFree VirtualFree HeapFree ctype 24122->24131 24132 40a3bd LeaveCriticalSection ctype 24123->24132 24127 40a3fe 24124->24127 24133 40e75d VirtualFree HeapFree VirtualFree ctype 24124->24133 24134 40a415 LeaveCriticalSection ctype 24127->24134 24130->24107 24131->24123 24132->24118 24133->24127 24134->24118 24135->24027 24136->24032 24137->24037 24138->24046 24139->24046 24140->24050 24176 401c89 LoadLibraryA 24141->24176 24144 4020f2 24145 4020fc __EH_prolog 24144->24145 24183 401d21 GetCommandLineA 24145->24183 24148 40213b wsprintfA CreateMutexA 24149 402170 GetLastError 24148->24149 24150 402181 CloseHandle ExpandEnvironmentStringsA 24148->24150 24149->24150 24161 402304 24149->24161 24195 401958 GetFileAttributesA 24150->24195 24153 402227 GetTickCount wsprintfA 24198 401aae 24153->24198 24157 4021dd 24209 41e974 67 API calls ctype 24157->24209 24158 402260 LoadLibraryA 24158->24161 24162 40227a 24158->24162 24159 402218 ExpandEnvironmentStringsA 24159->24153 24161->24055 24163 402282 GetProcAddress 24162->24163 24164 40229f GetProcAddress 24162->24164 24169 402290 DeleteFileA 24163->24169 24166 4022fb FreeLibrary 24164->24166 24167 4022af 24164->24167 24165 4021ec 24210 4018a1 47 API calls 2 library calls 24165->24210 24166->24161 24167->24166 24172 4022bc wsprintfA 24167->24172 24169->24166 24170 4021f9 24211 41e906 32 API calls ctype 24170->24211 24174 4022eb MoveFileExA 24172->24174 24173 402206 GetFileAttributesA 24173->24153 24173->24159 24174->24166 24175->24057 24177 401ca8 GetProcAddress GetProcAddress GetProcAddress 24176->24177 24178 401ccd LoadLibraryA 24176->24178 24177->24178 24179 401d00 LoadLibraryA 24178->24179 24180 401cdb GetProcAddress GetProcAddress GetProcAddress 24178->24180 24181 401794 24179->24181 24182 401d0e GetProcAddress 24179->24182 24180->24179 24181->24144 24182->24181 24184 401d64 24183->24184 24185 401d86 wsprintfA 24184->24185 24188 402030 24184->24188 24212 401bab lstrcpyA _rand 24185->24212 24187 401f85 24187->24188 24189 401f8d lstrcpyA 24187->24189 24188->24148 24188->24161 24213 401bab lstrcpyA _rand 24189->24213 24191 401fbc wsprintfA 24214 401bab lstrcpyA _rand 24191->24214 24193 402020 24193->24188 24194 401aae 44 API calls 24193->24194 24194->24188 24196 401972 24195->24196 24197 401967 GetLastError 24195->24197 24196->24153 24196->24157 24196->24159 24197->24196 24199 401acb 24198->24199 24200 401ae2 24199->24200 24201 401ae9 GetLocalTime wsprintfA 24199->24201 24200->24158 24200->24161 24202 401b33 ctype 24201->24202 24215 40185b GetTickCount 24202->24215 24205 401b85 ctype 24224 4017aa CreateFileA WriteFile 24205->24224 24207 401b8d 24207->24200 24208 401958 2 API calls 24207->24208 24208->24200 24209->24165 24210->24170 24211->24173 24212->24187 24213->24191 24214->24193 24227 40a576 24215->24227 24221 401880 24222 401897 lstrcpyA 24221->24222 24223 40a583 _rand 35 API calls 24221->24223 24222->24205 24223->24221 24225 4017e2 24224->24225 24226 4017e4 CloseHandle 24224->24226 24225->24226 24226->24207 24237 40d673 GetLastError TlsGetValue 24227->24237 24229 40186a 24230 40a583 24229->24230 24231 40d673 _rand 35 API calls 24230->24231 24232 40186f 24231->24232 24233 41a7e5 24232->24233 24236 41a7eb 24233->24236 24234 40a43c ctype 29 API calls 24234->24236 24235 41a809 24235->24221 24236->24234 24236->24235 24238 40d6ce SetLastError 24237->24238 24239 40d68f 24237->24239 24238->24229 24248 40c81d 30 API calls 2 library calls 24239->24248 24241 40d698 24242 40d6a0 TlsSetValue 24241->24242 24243 40d6c6 24241->24243 24242->24243 24244 40d6b1 _rand 24242->24244 24249 40ac78 7 API calls _rand 24243->24249 24247 40d6b7 GetCurrentThreadId 24244->24247 24246 40d6cd 24246->24238 24247->24238 24248->24241 24249->24246 24250 42f274 24251 42f2aa TlsGetValue 24250->24251 24252 42f27d 24250->24252 24253 42f2bd 24251->24253 24254 42f297 24252->24254 24271 42efbd RaiseException TlsAlloc InitializeCriticalSection ctype 24252->24271 24257 42f2d0 24253->24257 24258 42f2e4 24253->24258 24261 42efff EnterCriticalSection 24254->24261 24256 42f2a8 24256->24251 24272 42f16e 8 API calls 2 library calls 24257->24272 24262 42f01e 24261->24262 24263 42f0da _rand 24262->24263 24264 42f06b GlobalHandle GlobalUnlock GlobalReAlloc 24262->24264 24265 42f058 GlobalAlloc 24262->24265 24266 42f0ef LeaveCriticalSection 24263->24266 24267 42f08d 24264->24267 24265->24267 24266->24256 24268 42f0b6 GlobalLock 24267->24268 24269 42f09b GlobalHandle GlobalLock LeaveCriticalSection 24267->24269 24268->24263 24273 417a75 RaiseException ctype 24269->24273 24271->24254 24272->24258 24274 42f45f 24279 42f469 24274->24279 24276 42f464 24287 409f1d 35 API calls 24276->24287 24278 42f47d 24280 42f4db GetVersion 24279->24280 24281 42f52e 24280->24281 24282 42f51c GetProcessVersion 24280->24282 24288 41fa77 KiUserCallbackDispatcher GetSystemMetrics 24281->24288 24282->24281 24284 42f535 24295 41fa33 7 API calls 24284->24295 24286 42f53f LoadCursorA LoadCursorA 24286->24276 24287->24278 24289 41fa96 24288->24289 24290 41fa9d 24288->24290 24296 42f489 GetSystemMetrics GetSystemMetrics 24289->24296 24297 42f4b9 GetSystemMetrics GetSystemMetrics 24290->24297 24293 41fa9b 24294 41faa2 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24293->24294 24294->24284 24295->24286 24296->24293 24297->24294 24298 40ae2f 24307 40aed4 24298->24307 24301 40ae40 GetCurrentProcess TerminateProcess 24302 40ae51 24301->24302 24303 40aec2 ExitProcess 24302->24303 24304 40aebb 24302->24304 24310 40aedd LeaveCriticalSection ctype 24304->24310 24306 40aec0 24308 40eba0 ctype 29 API calls 24307->24308 24309 40ae35 24308->24309 24309->24301 24309->24302 24310->24306

                                                                                Executed Functions

                                                                                Function 004020F2 Relevance: 49.2, APIs: 17, Strings: 11, Instructions: 163libraryloaderfileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 004020F7
                                                                                  • Part of subcall function 00401D21: GetCommandLineA.KERNEL32(?,kinh.xmcxmr.com,00000458), ref: 00401D54
                                                                                • wsprintfA.USER32 ref: 00402153
                                                                                • CreateMutexA.KERNELBASE(00000000,00000000,?), ref: 00402167
                                                                                • GetLastError.KERNEL32 ref: 00402170
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00402186
                                                                                • ExpandEnvironmentStringsA.KERNEL32(%SystemRoot%\system32\,?,00000104), ref: 004021A4
                                                                                • GetFileAttributesA.KERNEL32(?,?), ref: 0040220D
                                                                                • ExpandEnvironmentStringsA.KERNEL32(%Temp%\,?,00000104), ref: 00402225
                                                                                • GetTickCount.KERNEL32 ref: 00402227
                                                                                • wsprintfA.USER32 ref: 00402247
                                                                                • LoadLibraryA.KERNELBASE(?), ref: 00402267
                                                                                • GetProcAddress.KERNEL32(00000000,MainThread), ref: 00402288
                                                                                • DeleteFileA.KERNEL32(?), ref: 00402297
                                                                                • GetProcAddress.KERNEL32(00000000,Install), ref: 004022A5
                                                                                • wsprintfA.USER32 ref: 004022CF
                                                                                • MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 004022F5
                                                                                • FreeLibrary.KERNELBASE(?), ref: 004022FE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: Filewsprintf$AddressEnvironmentExpandLibraryProcStrings$AttributesCloseCommandCountCreateDeleteErrorFreeH_prologHandleLastLineLoadMoveMutexTick
                                                                                • String ID: "%s",MainThread$%SystemRoot%\system32\$%Temp%\$%s%d.bat$%s:%d:%s$Install$MainThread$kinh.xmcxmr.com$open$rundll32.exe$svchcst
                                                                                • API String ID: 257601923-1586354655
                                                                                • Opcode ID: 5f648a773d603a6aeff2806bd0974a3f6d7f380e9a8df7a5a8c895d7b1df6949
                                                                                • Instruction ID: 5d7dcedb8153f61fd942b4d46a4edae1349ef5c03a613b66aa2a42c1be64b2cd
                                                                                • Opcode Fuzzy Hash: 5f648a773d603a6aeff2806bd0974a3f6d7f380e9a8df7a5a8c895d7b1df6949
                                                                                • Instruction Fuzzy Hash: 37518F71900218ABDB25ABA1DD89EEF777CBF44304F4001BAF605F21D1DB789A458FA9
                                                                                Function 0042EFFF Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 99memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(00454218,004540C0,00000100,!@,004541FC,004541FC,0042F2A8,?,00000100,0042EE17,0042D502,0041FB59,00000100,0041FAF2,!@,?), ref: 0042F00E
                                                                                • GlobalAlloc.KERNELBASE(00002002,00000000,!@,?,00000100,0042EE17,0042D502,0041FB59,00000100,0041FAF2,!@,?,00000100,?,?), ref: 0042F063
                                                                                • GlobalHandle.KERNEL32(00582370), ref: 0042F06C
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0042F075
                                                                                • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 0042F087
                                                                                • GlobalHandle.KERNEL32(00582370), ref: 0042F09E
                                                                                • GlobalLock.KERNEL32(00000000), ref: 0042F0A5
                                                                                • LeaveCriticalSection.KERNEL32(?,?,00000100,0042EE17,0042D502,0041FB59,00000100,0041FAF2,!@,?,00000100,?,?), ref: 0042F0AB
                                                                                • GlobalLock.KERNEL32(?), ref: 0042F0BA
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?), ref: 0042F103
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                                                                • String ID: !@$!@
                                                                                • API String ID: 2667261700-740718224
                                                                                • Opcode ID: 098847425a676799355a27391d09094d27e98224197783b73840aaa79e1fccc5
                                                                                • Instruction ID: 1a134948075b3ef4c12703b1b5943ba3c26e82e5cc25974ba4d6318aeb358564
                                                                                • Opcode Fuzzy Hash: 098847425a676799355a27391d09094d27e98224197783b73840aaa79e1fccc5
                                                                                • Instruction Fuzzy Hash: 223180752007059FDB249F28EC89A6AB7F8FB84305B404A3EF852C3662E775F9498B14
                                                                                Function 00401AAE Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85stringtimeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?,?,?,?,76938400,80000002,00000000), ref: 00401AED
                                                                                • wsprintfA.USER32 ref: 00401B16
                                                                                • lstrcpyA.KERNEL32(0044DF80,00000000), ref: 00401B6B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: LocalTimelstrcpywsprintf
                                                                                • String ID: %4d-%.2d-%.2d %.2d:%.2d$2024-11-21 03:40$kinh.xmcxmr.com
                                                                                • API String ID: 3871240451-1442559968
                                                                                • Opcode ID: fba96d34ee47eef86a4be669fe4e61190d887298eaac3ad5a0476fc67a3859f8
                                                                                • Instruction ID: aada652e1d41f3351531325a79c1a4dff71f0cd1773ba7ca89e3baf48a56e0ab
                                                                                • Opcode Fuzzy Hash: fba96d34ee47eef86a4be669fe4e61190d887298eaac3ad5a0476fc67a3859f8
                                                                                • Instruction Fuzzy Hash: 9E21B3A2A402147AEB10A7E28C4AFEB37AC9F45715F00047BFA09B21D1EA3D9941C77D
                                                                                Function 0041FA77 Relevance: 9.0, APIs: 6, Instructions: 35COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • KiUserCallbackDispatcher.NTDLL(0000000B), ref: 0041FA84
                                                                                • GetSystemMetrics.USER32(0000000C), ref: 0041FA8B
                                                                                • GetDC.USER32(00000000), ref: 0041FAA4
                                                                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 0041FAB5
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041FABD
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 0041FAC5
                                                                                  • Part of subcall function 0042F489: GetSystemMetrics.USER32(00000002), ref: 0042F49B
                                                                                  • Part of subcall function 0042F489: GetSystemMetrics.USER32(00000003), ref: 0042F4A5
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
                                                                                • String ID:
                                                                                • API String ID: 1031845853-0
                                                                                • Opcode ID: ee63e318037f6f51dbb1f692778a7d58b7f9b8a48d16266dad5152c1c354cd67
                                                                                • Instruction ID: 25ee367f1de250752158a8579bdf5a166f246b04e59f62f292f49ff813c08f0c
                                                                                • Opcode Fuzzy Hash: ee63e318037f6f51dbb1f692778a7d58b7f9b8a48d16266dad5152c1c354cd67
                                                                                • Instruction Fuzzy Hash: CBF0B435640700AFE2206BB29C49F5777B4EFD0752F11453FE60546290CAB8A8498FA9
                                                                                Function 0042F469 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetVersion.KERNEL32(?,?,?,0042F464), ref: 0042F4E0
                                                                                • GetProcessVersion.KERNELBASE(00000000,?,?,?,0042F464), ref: 0042F51D
                                                                                • LoadCursorA.USER32(00000000,00007F02), ref: 0042F54B
                                                                                • LoadCursorA.USER32(00000000,00007F00), ref: 0042F556
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: CursorLoadVersion$Process
                                                                                • String ID: 0DE
                                                                                • API String ID: 2246821583-1233716124
                                                                                • Opcode ID: ab16a2b3afd4cd1b4c7e856091d9ceeea21ac5e27a883bd0de3a3656eb6cac8b
                                                                                • Instruction ID: a9d71c6fe3e927353179423b7064376f64feb01009672ef156977568e25c4602
                                                                                • Opcode Fuzzy Hash: ab16a2b3afd4cd1b4c7e856091d9ceeea21ac5e27a883bd0de3a3656eb6cac8b
                                                                                • Instruction Fuzzy Hash: 71118FB1A00B508FD724DF3A998466ABBE5FF887057404D3FE18BC6B50D778A445CB54
                                                                                Function 0040AB70 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetVersion.KERNEL32 ref: 0040AB96
                                                                                  • Part of subcall function 0040D906: HeapCreate.KERNELBASE(00000000,00001000,00000000,0040ABCE,00000001), ref: 0040D917
                                                                                  • Part of subcall function 0040D906: HeapDestroy.KERNEL32 ref: 0040D956
                                                                                • GetCommandLineA.KERNEL32 ref: 0040ABF6
                                                                                • GetStartupInfoA.KERNEL32(?), ref: 0040AC21
                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040AC44
                                                                                  • Part of subcall function 0040AC9D: ExitProcess.KERNEL32 ref: 0040ACBA
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                                • String ID:
                                                                                • API String ID: 2057626494-0
                                                                                • Opcode ID: 1cb1fdbc09b28400fd379be09374161b8d38fc97b9f046c64e1b7ba198244bf9
                                                                                • Instruction ID: 4e60150630a16c5719749b4abb308ae7f1db03ba93a828d33c039877af9c0485
                                                                                • Opcode Fuzzy Hash: 1cb1fdbc09b28400fd379be09374161b8d38fc97b9f046c64e1b7ba198244bf9
                                                                                • Instruction Fuzzy Hash: CB2193B1840709AFDB04AFA6DC09A6E7BB8AF44744F10053FF501BA2D1DB388450CB59
                                                                                Function 0040AE2F Relevance: 4.6, APIs: 3, Instructions: 51COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 134 40ae2f-40ae3e call 40aed4 137 40ae40-40ae4b GetCurrentProcess TerminateProcess 134->137 138 40ae51-40ae67 134->138 137->138 139 40aea5-40aeb9 call 40aee6 138->139 140 40ae69-40ae70 138->140 149 40aec2-40aecc ExitProcess 139->149 150 40aebb-40aec1 call 40aedd 139->150 142 40ae72-40ae7e 140->142 143 40ae94-40aea4 call 40aee6 140->143 146 40ae80-40ae84 142->146 147 40ae93 142->147 143->139 151 40ae86 146->151 152 40ae88-40ae91 146->152 147->143 151->152 152->146 152->147
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(?,?,0040AE1A,?,00000000,00000000,0040AC59,00000000,00000000), ref: 0040AE44
                                                                                • TerminateProcess.KERNEL32(00000000,?,0040AE1A,?,00000000,00000000,0040AC59,00000000,00000000), ref: 0040AE4B
                                                                                • ExitProcess.KERNEL32 ref: 0040AECC
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CurrentExitTerminate
                                                                                • String ID:
                                                                                • API String ID: 1703294689-0
                                                                                • Opcode ID: e0c3b4a8a4af9a85aad23f7cfe8d35688fd5e2ba26a6faaf5be03714e3bab740
                                                                                • Instruction ID: e987e20b2b74d6441040e306482e48ec04ae606b887794da4c04455d8f96bcb2
                                                                                • Opcode Fuzzy Hash: e0c3b4a8a4af9a85aad23f7cfe8d35688fd5e2ba26a6faaf5be03714e3bab740
                                                                                • Instruction Fuzzy Hash: BB01C831584300AFEB21AF65FC8566B77A4ABD0356710043FF544661E1DB78A8D0C69F
                                                                                Function 004017AA Relevance: 4.5, APIs: 3, Instructions: 31fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 155 4017aa-4017e0 CreateFileA WriteFile 156 4017e2 155->156 157 4017e4-4017f0 CloseHandle 155->157 156->157
                                                                                APIs
                                                                                • CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,00000458,00000000,?,00401B8D,00000001,00441158,?,00000458), ref: 004017C0
                                                                                • WriteFile.KERNELBASE(00000000,00441158,0000CC00,?,00000000,?,00401B8D,00000001,00441158,?,00000458), ref: 004017D8
                                                                                • CloseHandle.KERNEL32(00000000,?,00401B8D,00000001,00441158,?,00000458), ref: 004017E5
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandleWrite
                                                                                • String ID:
                                                                                • API String ID: 1065093856-0
                                                                                • Opcode ID: 96a56e667dd384a7afec03a3ae8fa3c3aa587876dbaf786fb5fcf65a3f43113d
                                                                                • Instruction ID: 51156494b9f89566f41b380f3ff552d8a5d36dc05546ce33f629bed432926409
                                                                                • Opcode Fuzzy Hash: 96a56e667dd384a7afec03a3ae8fa3c3aa587876dbaf786fb5fcf65a3f43113d
                                                                                • Instruction Fuzzy Hash: 8FE0DFB13812187FFB202B91ACCAFE77B5CEB017D8F000032FE09A7290C6616C0086B8
                                                                                Function 0040D906 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 158 40d906-40d924 HeapCreate 159 40d926-40d933 call 40d7be 158->159 160 40d95c-40d95e 158->160 163 40d942-40d945 159->163 164 40d935-40d940 call 40d963 159->164 166 40d947 call 40e4aa 163->166 167 40d95f-40d962 163->167 170 40d94c-40d94e 164->170 166->170 170->167 171 40d950-40d956 HeapDestroy 170->171 171->160
                                                                                APIs
                                                                                • HeapCreate.KERNELBASE(00000000,00001000,00000000,0040ABCE,00000001), ref: 0040D917
                                                                                  • Part of subcall function 0040D7BE: GetVersionExA.KERNEL32 ref: 0040D7DD
                                                                                • HeapDestroy.KERNEL32 ref: 0040D956
                                                                                  • Part of subcall function 0040D963: HeapAlloc.KERNEL32(00000000,00000140,0040D93F,000003F8), ref: 0040D970
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$AllocCreateDestroyVersion
                                                                                • String ID:
                                                                                • API String ID: 2507506473-0
                                                                                • Opcode ID: d9f2ef4fffe6ea09ea837f107cbe9947e0590daf83edb832b132a38daf13a15c
                                                                                • Instruction ID: 0bc681230d3be9cc1c487b5691e394fedbd9d5fb1d565f7a72930b142be50153
                                                                                • Opcode Fuzzy Hash: d9f2ef4fffe6ea09ea837f107cbe9947e0590daf83edb832b132a38daf13a15c
                                                                                • Instruction Fuzzy Hash: 45F09BB0E153029ADF202FB15C4577A3A94AB50766F140437F401E92E6EB78C9C4E70D
                                                                                Function 00401958 Relevance: 3.0, APIs: 2, Instructions: 12COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 172 401958-401965 GetFileAttributesA 173 401975-401978 172->173 174 401967-401970 GetLastError 172->174 174->173 175 401972-401974 174->175
                                                                                APIs
                                                                                • GetFileAttributesA.KERNELBASE(00000001,00401BA0,00000001), ref: 0040195C
                                                                                • GetLastError.KERNEL32 ref: 00401967
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: AttributesErrorFileLast
                                                                                • String ID:
                                                                                • API String ID: 1799206407-0
                                                                                • Opcode ID: 561b67daf40a350f98f661a2b3e73128ac8e3a90678803e90c6b4a03d47ef4fd
                                                                                • Instruction ID: 0d531cab702acc615b5baff349756b9bcff41b0ae92af3546a2bee5483639887
                                                                                • Opcode Fuzzy Hash: 561b67daf40a350f98f661a2b3e73128ac8e3a90678803e90c6b4a03d47ef4fd
                                                                                • Instruction Fuzzy Hash: ADC08CB120000066DA600730BC59ACB3623AF92332F200B35F132C00F0CB309C80F508
                                                                                Function 0040A47A Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 176 40a47a-40a4a5 177 40a4a7-40a4b0 176->177 178 40a4ea-40a4ed 176->178 179 40a4b6-40a4da call 40eba0 call 40dcff call 40a4e1 177->179 180 40a549-40a54e 177->180 178->180 181 40a4ef-40a4f4 178->181 179->180 201 40a4dc 179->201 183 40a550-40a552 180->183 184 40a553-40a558 180->184 185 40a4f6-40a4fc 181->185 186 40a4fe-40a500 181->186 183->184 188 40a559-40a561 RtlAllocateHeap 184->188 189 40a501-40a50a 185->189 186->189 193 40a567-40a575 188->193 190 40a53a-40a53b 189->190 191 40a50c-40a538 call 40eba0 call 40e7a2 call 40a540 189->191 190->188 191->190 191->193 201->193
                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0040A561
                                                                                  • Part of subcall function 0040EBA0: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0040C8D3,00000009,00000000,00000000,00000001,0040D698,00000001,00000074,?,?,00000000,00000001), ref: 0040EBDD
                                                                                  • Part of subcall function 0040EBA0: EnterCriticalSection.KERNEL32(?,?,?,0040C8D3,00000009,00000000,00000000,00000001,0040D698,00000001,00000074,?,?,00000000,00000001), ref: 0040EBF8
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$AllocateEnterHeapInitialize
                                                                                • String ID:
                                                                                • API String ID: 1616793339-0
                                                                                • Opcode ID: 6b175af447c32cc6e44918429516408e452d3da64828247e352536b495abacea
                                                                                • Instruction ID: 8a81674eba5a4b9668df92cf3328c3355dc5fb2609b64302b04ab97f79e5e143
                                                                                • Opcode Fuzzy Hash: 6b175af447c32cc6e44918429516408e452d3da64828247e352536b495abacea
                                                                                • Instruction Fuzzy Hash: 13218332A00714BBDB10EB699C42B9EB764FB00764F14463BF411FB2D1C77CA951965E

                                                                                Non-executed Functions

                                                                                Function 00421104 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 00421109
                                                                                • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?,?,?), ref: 00421170
                                                                                • GetFileTime.KERNEL32(?,?,?,?,?), ref: 00421203
                                                                                • SetFileTime.KERNEL32(?,?,?,?), ref: 0042122E
                                                                                • GetFileSecurityA.ADVAPI32(?,00000004,00000000,00000000,?), ref: 00421248
                                                                                • GetFileSecurityA.ADVAPI32(?,00000004,00000000,?,?), ref: 00421266
                                                                                • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00421271
                                                                                  • Part of subcall function 0041E442: lstrcpynA.KERNEL32(00000000,?,00000104,?,?), ref: 0041E469
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: File$Security$Time$DiskFreeH_prologSpacelstrcpyn
                                                                                • String ID: DD
                                                                                • API String ID: 726943650-194360491
                                                                                • Opcode ID: b12fce8f5da00e8820a2a92695b6d609eb8bc618c05d7bf0a0161683110dedb6
                                                                                • Instruction ID: bf0b7279e5369f8b1299b7476def8ccf701e92b392c6c18445cb1e03e42ede84
                                                                                • Opcode Fuzzy Hash: b12fce8f5da00e8820a2a92695b6d609eb8bc618c05d7bf0a0161683110dedb6
                                                                                • Instruction Fuzzy Hash: 65514D72A00119AFDF01EFA1DD85EEEBBBDFF08344F00402AF915A61A1DB349A54CB64
                                                                                Function 0042B17A Relevance: 10.6, APIs: 7, Instructions: 67windowkeyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyState.USER32(00000011), ref: 0042B18B
                                                                                • GetKeyState.USER32(00000010), ref: 0042B19B
                                                                                • GetFocus.USER32 ref: 0042B1AB
                                                                                • GetDesktopWindow.USER32 ref: 0042B1B3
                                                                                • SendMessageA.USER32(?,0000020A,?,?), ref: 0042B1D7
                                                                                • SendMessageA.USER32(00000000,0000020A,?,?), ref: 0042B1F6
                                                                                • GetParent.USER32(00000000), ref: 0042B1FF
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSendState$DesktopFocusParentWindow
                                                                                • String ID:
                                                                                • API String ID: 4150626516-0
                                                                                • Opcode ID: 6bb3ab0aa938db4f1c2e67b5a664b0027ace542446627be524c3789b6ab52d10
                                                                                • Instruction ID: e36b63b1a2dab582ae4618b4020a24e79d6deebe97d59e682bd4ec38e6b1128a
                                                                                • Opcode Fuzzy Hash: 6bb3ab0aa938db4f1c2e67b5a664b0027ace542446627be524c3789b6ab52d10
                                                                                • Instruction Fuzzy Hash: C511E332B00324BFEB001BA5AC48EBA7BA8EB547E0F510537FA41D7241D7B4AD5196F8
                                                                                Function 0042B165 Relevance: 7.6, APIs: 5, Instructions: 52keyboardwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyState.USER32(00000011), ref: 0042B18B
                                                                                • GetKeyState.USER32(00000010), ref: 0042B19B
                                                                                • GetFocus.USER32 ref: 0042B1AB
                                                                                • GetDesktopWindow.USER32 ref: 0042B1B3
                                                                                • SendMessageA.USER32(?,0000020A,?,?), ref: 0042B1D7
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: State$DesktopFocusMessageSendWindow
                                                                                • String ID:
                                                                                • API String ID: 2814764316-0
                                                                                • Opcode ID: da8259600469277c80a9c770a9401a3e868c4831f23239d9874a5b9b050f103a
                                                                                • Instruction ID: 975ee90d7c77537f4dbaed89e4cad44ed4bb3c407fba807930581d5e600200b9
                                                                                • Opcode Fuzzy Hash: da8259600469277c80a9c770a9401a3e868c4831f23239d9874a5b9b050f103a
                                                                                • Instruction Fuzzy Hash: 4601D875B00314AFEB001A94AC55FB47B98DB507E4F500537EA42D7181D7A8AC5296A8
                                                                                Function 0042C074 Relevance: 53.0, APIs: 28, Strings: 2, Instructions: 479COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 0042C079
                                                                                • GetWindowRect.USER32(?,?), ref: 0042C0BD
                                                                                • OffsetRect.USER32(?,?,?), ref: 0042C0D3
                                                                                • GetSysColor.USER32(00000006), ref: 0042C0F0
                                                                                • CreateSolidBrush.GDI32(00000000), ref: 0042C0F9
                                                                                • GetSysColor.USER32(?), ref: 0042C120
                                                                                • CreateSolidBrush.GDI32(00000000), ref: 0042C123
                                                                                • GetSysColor.USER32(?), ref: 0042C14A
                                                                                • CreateSolidBrush.GDI32(00000000), ref: 0042C14D
                                                                                • GetSystemMetrics.USER32(00000006), ref: 0042C160
                                                                                • GetSystemMetrics.USER32(00000005), ref: 0042C167
                                                                                • GetSystemMetrics.USER32(00000021), ref: 0042C16E
                                                                                • GetSystemMetrics.USER32(00000020), ref: 0042C174
                                                                                • InflateRect.USER32(?,?,?), ref: 0042C1AC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: MetricsSystem$BrushColorCreateRectSolid$H_prologInflateOffsetWindow
                                                                                • String ID: DD$teC
                                                                                • API String ID: 1266645593-1768605486
                                                                                • Opcode ID: 3ddc5f23da503b7c7cdf8104d98daf19e79463584090ffc96435a5e92cf910e5
                                                                                • Instruction ID: 0d2fadb070d88655ca329136d3d9c15b0ea3d91ed83fde05bff45e1595fef0de
                                                                                • Opcode Fuzzy Hash: 3ddc5f23da503b7c7cdf8104d98daf19e79463584090ffc96435a5e92cf910e5
                                                                                • Instruction Fuzzy Hash: B3022A72E00229AFCF10DBE4DD85EEEBBB9AF48704F14411AE501F7291DB74AA45CB64
                                                                                Function 00430126 Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 47registryclipboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegisterClipboardFormatA.USER32(Native), ref: 00430144
                                                                                • RegisterClipboardFormatA.USER32(OwnerLink), ref: 0043014D
                                                                                • RegisterClipboardFormatA.USER32(ObjectLink), ref: 00430157
                                                                                • RegisterClipboardFormatA.USER32(Embedded Object), ref: 00430161
                                                                                • RegisterClipboardFormatA.USER32(Embed Source), ref: 0043016B
                                                                                • RegisterClipboardFormatA.USER32(Link Source), ref: 00430175
                                                                                • RegisterClipboardFormatA.USER32(Object Descriptor), ref: 0043017F
                                                                                • RegisterClipboardFormatA.USER32(Link Source Descriptor), ref: 00430189
                                                                                • RegisterClipboardFormatA.USER32(FileName), ref: 00430193
                                                                                • RegisterClipboardFormatA.USER32(FileNameW), ref: 0043019D
                                                                                • RegisterClipboardFormatA.USER32(Rich Text Format), ref: 004301A7
                                                                                • RegisterClipboardFormatA.USER32(RichEdit Text and Objects), ref: 004301B1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: ClipboardFormatRegister
                                                                                • String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
                                                                                • API String ID: 1228543026-2889995556
                                                                                • Opcode ID: c701336221758a48e27b5f8c6fd3d839f24fb0845f284f4a91e3dc8eeea9ee5e
                                                                                • Instruction ID: de8b3575df22b96577828d073298370b646079c3a8cbd2f6e3c954f187013f03
                                                                                • Opcode Fuzzy Hash: c701336221758a48e27b5f8c6fd3d839f24fb0845f284f4a91e3dc8eeea9ee5e
                                                                                • Instruction Fuzzy Hash: 87017D70A407455ACF306F769C0990BFAE0EEC9B107216D2FF18587650EABC9406CF4C
                                                                                Function 004240DB Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 132windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadResource.KERNEL32(00000800,?,00000800,?,00000000,?,00000800), ref: 004240EA
                                                                                • LockResource.KERNEL32(00000000,?,00000800), ref: 004240F5
                                                                                • GetSysColor.USER32 ref: 00424177
                                                                                • GetSysColor.USER32(00000000), ref: 00424185
                                                                                • GetSysColor.USER32(00000000), ref: 00424195
                                                                                • GetDC.USER32(00000000), ref: 004241BB
                                                                                • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004241C7
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 004241D7
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 004241E9
                                                                                • StretchDIBits.GDI32(00000000,00000000,00000000,00000800,00000000,00000000,00000000,00000800,00000000,?,00000000,00000000,00CC0020), ref: 00424218
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00424222
                                                                                • DeleteDC.GDI32(00000000), ref: 00424225
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 00424230
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: Color$CompatibleCreateObjectResourceSelect$BitmapBitsDeleteLoadLockReleaseStretch
                                                                                • String ID: DllGetVersion
                                                                                • API String ID: 257281507-2861820592
                                                                                • Opcode ID: 2d36c35b7b1c0a563e332d6119bbabf4ca2530dcf855e9999793eabb764456e1
                                                                                • Instruction ID: 65ff7add9e3ef6c87f47ea79ae47ffcadb3f1f9fbf0d8d47f6849ba9d815834a
                                                                                • Opcode Fuzzy Hash: 2d36c35b7b1c0a563e332d6119bbabf4ca2530dcf855e9999793eabb764456e1
                                                                                • Instruction Fuzzy Hash: 8B410572600215FFDB118F64EC88AEF7BB5FFC9350B118029F905972A0C738A961DB68
                                                                                Function 004212C4 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 168stringlibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 004212C9
                                                                                  • Part of subcall function 0041E67B: InterlockedIncrement.KERNEL32(?), ref: 0041E690
                                                                                  • Part of subcall function 0041DF05: CloseHandle.KERNEL32(00000001,00000000,?,0041DC5C,?,?,00426E78,?,?,?,00402C2E,00000004,00000000), ref: 0041DF14
                                                                                  • Part of subcall function 0041DF05: GetLastError.KERNEL32(00000000,0041DC5C,?,?,00426E78,?,?,?,00402C2E,00000004,00000000), ref: 0041DF39
                                                                                • GetModuleHandleA.KERNEL32(KERNEL32,?), ref: 0042131C
                                                                                • GetProcAddress.KERNEL32(00000000,ReplaceFile), ref: 00421328
                                                                                  • Part of subcall function 0042105E: __EH_prolog.LIBCMT ref: 00421063
                                                                                  • Part of subcall function 0042105E: GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 00421096
                                                                                  • Part of subcall function 0042105E: GetTempFileNameA.KERNEL32(00000105,MFC,00000000,00000000,00000105), ref: 004210BC
                                                                                  • Part of subcall function 0041E906: InterlockedDecrement.KERNEL32(-000000F4), ref: 0041E91A
                                                                                • lstrlenA.KERNEL32(?,00000000), ref: 00421379
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 0042139C
                                                                                • lstrlenA.KERNEL32(?,?,00000001), ref: 004213BB
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001,?,00000001), ref: 004213DE
                                                                                • lstrlenA.KERNEL32(?,?,00000001,?,00000001), ref: 004213FC
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001,?,00000001,?,00000001), ref: 0042141C
                                                                                • GetLastError.KERNEL32(?,?,?,00000003,00000000,00000000,?,00000001,?,00000001,?,00000001), ref: 00421437
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWidelstrlen$ErrorH_prologHandleInterlockedLastName$AddressCloseDecrementFileFullIncrementModulePathProcTemp
                                                                                • String ID: DD$KERNEL32$ReplaceFile
                                                                                • API String ID: 3306742873-3170329365
                                                                                • Opcode ID: f64154aceb565a704f5f0f7e544939e0eb67cd77e2b43bc5d6e785f55a15dfb4
                                                                                • Instruction ID: cbe110c01f4cdba9bfaad4dc14bd236ff4bedeae28a8400f4706818c3e3750e1
                                                                                • Opcode Fuzzy Hash: f64154aceb565a704f5f0f7e544939e0eb67cd77e2b43bc5d6e785f55a15dfb4
                                                                                • Instruction Fuzzy Hash: E8519EB1D00219AFCB10EFA5DC858EFBBB8EF58358B50056AF811B3260D7385E44CB69
                                                                                Function 0041D236 Relevance: 19.7, APIs: 13, Instructions: 174windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041A88D: GetWindowLongA.USER32(?,000000F0), ref: 0041A899
                                                                                • GetParent.USER32(?), ref: 0041D261
                                                                                • SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 0041D284
                                                                                • GetWindowRect.USER32(?,?), ref: 0041D29D
                                                                                • GetWindowLongA.USER32(00000000,000000F0), ref: 0041D2B0
                                                                                • CopyRect.USER32(?,?), ref: 0041D2FD
                                                                                • CopyRect.USER32(?,?), ref: 0041D307
                                                                                • GetWindowRect.USER32(00000000,?), ref: 0041D310
                                                                                • CopyRect.USER32(?,?), ref: 0041D32C
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: Rect$Window$Copy$Long$MessageParentSend
                                                                                • String ID:
                                                                                • API String ID: 808654186-0
                                                                                • Opcode ID: 75d234f5d8d093101be7f504eaf451011aa4fde8630474e8e5888457ffd39804
                                                                                • Instruction ID: 73d9993909c31bcf69a6b78a134d9ba4cd72113f3bdd4cf27426fe78c29e3eea
                                                                                • Opcode Fuzzy Hash: 75d234f5d8d093101be7f504eaf451011aa4fde8630474e8e5888457ffd39804
                                                                                • Instruction Fuzzy Hash: F95184B1D00219AFCB14DBA8DD85EEEB7B9AF84314F150166E911F3280D638FD458B68
                                                                                Function 0042D140 Relevance: 18.1, APIs: 7, Strings: 5, Instructions: 66stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrcmpA.KERNEL32(00000000,00434FB4,?,?,?,?,0042D12A,00000000), ref: 0042D156
                                                                                • lstrcmpA.KERNEL32(00000000,00434FB0,?,?,?,?,0042D12A,00000000), ref: 0042D16E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: lstrcmp
                                                                                • String ID: Automation$Embedding$Unregister$Unregserver$dde
                                                                                • API String ID: 1534048567-1842294661
                                                                                • Opcode ID: 9d940cbe8ef830cf0c560c18d9049f1b4d254298edeabbebbf6c7cc9c5f7e340
                                                                                • Instruction ID: ac2968ce1de11b8cb94c513a877dc3dfe4e0a0583414e41a2695cd8cc802a55b
                                                                                • Opcode Fuzzy Hash: 9d940cbe8ef830cf0c560c18d9049f1b4d254298edeabbebbf6c7cc9c5f7e340
                                                                                • Instruction Fuzzy Hash: AE1129F17043126AD7206B71AC05F7376EC9FA4788F51591BB00292981DBFCF410876D
                                                                                Function 004150C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(00455CA0,?,0041451F), ref: 004150C6
                                                                                • GlobalDeleteAtom.KERNEL32(00000000), ref: 00415102
                                                                                • GlobalDeleteAtom.KERNEL32(00000000), ref: 0041511D
                                                                                • GlobalDeleteAtom.KERNEL32(00000000), ref: 00415130
                                                                                • GlobalDeleteAtom.KERNEL32(00000000), ref: 00415143
                                                                                • GlobalDeleteAtom.KERNEL32(00000000), ref: 00415156
                                                                                • GlobalDeleteAtom.KERNEL32(00000000), ref: 00415169
                                                                                • GlobalDeleteAtom.KERNEL32(00000000), ref: 0041517C
                                                                                • LeaveCriticalSection.KERNEL32(00455CA0,?,0041451F), ref: 0041518D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: AtomDeleteGlobal$CriticalSection$EnterLeave
                                                                                • String ID: gE
                                                                                • API String ID: 3843206905-3943094157
                                                                                • Opcode ID: cee0cc74e34eaa18c53a0a96b827e47d2bc57b488168c074401dc6be78415e6d
                                                                                • Instruction ID: bd524ed03294e6ee963bc13494c5d852958be8c899209323a2681d6492b0e3dd
                                                                                • Opcode Fuzzy Hash: cee0cc74e34eaa18c53a0a96b827e47d2bc57b488168c074401dc6be78415e6d
                                                                                • Instruction Fuzzy Hash: A8114C69C00F11E5C7136BA4EC1C3FA2AB4B748306F544022E420977B2EBBC98C5CBAC
                                                                                Function 00417010 Relevance: 16.6, APIs: 11, Instructions: 140windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowLongA.USER32(?,000000F0), ref: 0041701E
                                                                                • GetClientRect.USER32(?,?), ref: 00417039
                                                                                • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0041706B
                                                                                • SelectObject.GDI32(?,00000000), ref: 00417079
                                                                                • SetBkMode.GDI32(?,00000002), ref: 0041708A
                                                                                • GetParent.USER32(?), ref: 00417098
                                                                                • SendMessageA.USER32(00000000), ref: 0041709F
                                                                                • SelectObject.GDI32(?,00000000), ref: 004170A9
                                                                                • SelectObject.GDI32(?,00000000), ref: 004170CB
                                                                                • SelectObject.GDI32(?,00000000), ref: 004170DB
                                                                                • OffsetRect.USER32(?,000000FF,000000FF), ref: 00417132
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: ObjectSelect$MessageRectSend$ClientLongModeOffsetParentWindow
                                                                                • String ID:
                                                                                • API String ID: 3606012576-0
                                                                                • Opcode ID: 52cb36dd7ec1598d403ffa0ea9eb1c816150ff7fbc5e9de84f9ffa0664250cf6
                                                                                • Instruction ID: c7e8f003bc16a1e3d2b43c246ec8b779bdfa85bad0c2b0da56ccf5602d71032f
                                                                                • Opcode Fuzzy Hash: 52cb36dd7ec1598d403ffa0ea9eb1c816150ff7fbc5e9de84f9ffa0664250cf6
                                                                                • Instruction Fuzzy Hash: 554119722483057BD210AB94AC46FFF777CEBC5B14F44012AFB0196282D7A9E94587BA
                                                                                Function 0041B198 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 0041B19D
                                                                                • GetPropA.USER32(?,AfxOldWndProc423), ref: 0041B1B5
                                                                                • CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 0041B213
                                                                                  • Part of subcall function 0041AD80: GetWindowRect.USER32(?,0041AF78), ref: 0041ADA5
                                                                                  • Part of subcall function 0041AD80: GetWindow.USER32(?,00000004), ref: 0041ADC2
                                                                                • SetWindowLongA.USER32(?,000000FC,?), ref: 0041B243
                                                                                • RemovePropA.USER32(?,AfxOldWndProc423), ref: 0041B24B
                                                                                • GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 0041B252
                                                                                • GlobalDeleteAtom.KERNEL32(00000000), ref: 0041B259
                                                                                  • Part of subcall function 0041AD5D: GetWindowRect.USER32(?,?), ref: 0041AD69
                                                                                • CallWindowProcA.USER32(?,?,?,?,00000000), ref: 0041B2AD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
                                                                                • String ID: AfxOldWndProc423
                                                                                • API String ID: 2397448395-1060338832
                                                                                • Opcode ID: 80c45c0c02dafc328158b1c405deb7ce4c91ca0f2c5b6a9e290b54ba4727ce13
                                                                                • Instruction ID: 71dc919084dd5bef444c1e0eded7978f2e1d6b3bbcafe1a2655b37ab66c75b0e
                                                                                • Opcode Fuzzy Hash: 80c45c0c02dafc328158b1c405deb7ce4c91ca0f2c5b6a9e290b54ba4727ce13
                                                                                • Instruction Fuzzy Hash: 2731A632901209BBCF01AFA5DD49EFF7F79EF49311F00052AF905A2150C739995197A9
                                                                                Function 0041E1A4 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 67registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 0041E1C5
                                                                                • RegOpenKeyA.ADVAPI32(?,?,00000001), ref: 0041E1D9
                                                                                • RegOpenKeyA.ADVAPI32(00000001,InProcServer32,?), ref: 0041E1F4
                                                                                • RegQueryValueExA.ADVAPI32(?,00436190,00000000,?,00000000,?,00000104), ref: 0041E21D
                                                                                  • Part of subcall function 0041ED11: lstrlenA.KERNEL32(?,00000100,0041FB45,000000FF,?,00000000,000000FF,00000100,!@,!@,?,00000100,?,?), ref: 0041ED24
                                                                                • RegCloseKey.ADVAPI32(?,000000FF), ref: 0041E23B
                                                                                • RegCloseKey.ADVAPI32(00000001), ref: 0041E240
                                                                                • RegCloseKey.ADVAPI32(?), ref: 0041E245
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen$QueryValuelstrlen
                                                                                • String ID: CLSID$InProcServer32
                                                                                • API String ID: 1568031711-323508013
                                                                                • Opcode ID: 815707cb35f106c8a3b5c82e8afffd5ff1c51b5382b31945d84ff29ecc3d5788
                                                                                • Instruction ID: da3d4542035c4539d3249e0d73c93b92b80908c5b15fc17c4e8d0d3542e0066d
                                                                                • Opcode Fuzzy Hash: 815707cb35f106c8a3b5c82e8afffd5ff1c51b5382b31945d84ff29ecc3d5788
                                                                                • Instruction Fuzzy Hash: F7113A76A00218BBDF00AFA5CC80DDEBB7DEF48354B11816AF904A3250D675AE419B94
                                                                                Function 0042510F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 209windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowRect.USER32(?,0000F000), ref: 00425127
                                                                                • EqualRect.USER32(0000F000,?), ref: 00425144
                                                                                  • Part of subcall function 0041A9D5: SetWindowPos.USER32(?,?,000000F9,00000800,?,00000000,?,?,004252AE,00000000,00000002,00000002,00000000,00000000,00000115,?), ref: 0041A9FC
                                                                                • IsWindowVisible.USER32(?), ref: 004251CD
                                                                                • CopyRect.USER32(00000080,?), ref: 004251FF
                                                                                • GetParent.USER32(?), ref: 004252B1
                                                                                • SetParent.USER32(?,?), ref: 004252D0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: RectWindow$Parent$CopyEqualVisible
                                                                                • String ID: 4(@P$@
                                                                                • API String ID: 3103310903-2936297062
                                                                                • Opcode ID: 4d38686095e1cb7416a51bc79a054498187f8d047c9e187b88ffcd456fc680ab
                                                                                • Instruction ID: e0c1d024d0882c1e8d4b120b4ca72821bb4324857222dc4d1a2201c03750fdc1
                                                                                • Opcode Fuzzy Hash: 4d38686095e1cb7416a51bc79a054498187f8d047c9e187b88ffcd456fc680ab
                                                                                • Instruction Fuzzy Hash: E261C031A00A15EFCF10DF65EC85ABF7BB9AF84314F50052AF916E6291CB38A941CB54
                                                                                Function 0042F16E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TlsGetValue.KERNEL32(004541FC,004540C0,00000000,!@,004541FC,!@,0042F2E4,004540C0,00000000,?,00000100,0042EE17,0042D502,0041FB59,00000100,0041FAF2), ref: 0042F179
                                                                                • EnterCriticalSection.KERNEL32(00454218,00000010,?,00000100,0042EE17,0042D502,0041FB59,00000100,0041FAF2,!@,?,00000100,?,?), ref: 0042F1C8
                                                                                • LeaveCriticalSection.KERNEL32(00454218,00000000,?,00000100,0042EE17,0042D502,0041FB59,00000100,0041FAF2,!@,?,00000100,?,?), ref: 0042F1DB
                                                                                • LocalAlloc.KERNEL32(00000000,00000003,?,00000100,0042EE17,0042D502,0041FB59,00000100,0041FAF2,!@,?,00000100,?,?), ref: 0042F1F1
                                                                                • LocalReAlloc.KERNEL32(?,00000003,00000002,?,00000100,0042EE17,0042D502,0041FB59,00000100,0041FAF2,!@,?,00000100,?,?), ref: 0042F203
                                                                                • TlsSetValue.KERNEL32(004541FC,00000000,00000100,?,?), ref: 0042F23F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: AllocCriticalLocalSectionValue$EnterLeave
                                                                                • String ID: !@$!@
                                                                                • API String ID: 4117633390-740718224
                                                                                • Opcode ID: 25faaa94b2b3643953fdde55dbb543869867de0602f0b7001dd0e68a52cf309a
                                                                                • Instruction ID: a4e716fd85a0ba00664651dc9fea03eee9ba41a9ab3df599747ccfbbf63b1fcd
                                                                                • Opcode Fuzzy Hash: 25faaa94b2b3643953fdde55dbb543869867de0602f0b7001dd0e68a52cf309a
                                                                                • Instruction Fuzzy Hash: 0431DA35200615EFDB24CF15E889FA6B7B8FB85354F80C53AE41687280EB74F919CB64
                                                                                Function 0041F26D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetStockObject.GDI32(00000011), ref: 0041F289
                                                                                • GetStockObject.GDI32(0000000D), ref: 0041F291
                                                                                • GetObjectA.GDI32(00000000,0000003C,?), ref: 0041F29E
                                                                                • GetDC.USER32(00000000), ref: 0041F2AD
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041F2C4
                                                                                • MulDiv.KERNEL32(?,00000048,00000000), ref: 0041F2D0
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 0041F2DB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: Object$Stock$CapsDeviceRelease
                                                                                • String ID: System
                                                                                • API String ID: 46613423-3470857405
                                                                                • Opcode ID: 43ccb163a9b3efb12ce1401b999bf098216a041bc7914ab6b25c489b3f682215
                                                                                • Instruction ID: 680e96f47522deca49dfe6f110276960a8af2a4cd47d5789deeaa508ae7d099a
                                                                                • Opcode Fuzzy Hash: 43ccb163a9b3efb12ce1401b999bf098216a041bc7914ab6b25c489b3f682215
                                                                                • Instruction Fuzzy Hash: C7117035B00318BBEB009BA1DC45BEE3BB8AB44795F104036F605E7280D775AD868BA8
                                                                                Function 0040F1E2 Relevance: 12.1, APIs: 8, Instructions: 132COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0040AC06), ref: 0040F1FD
                                                                                • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0040AC06), ref: 0040F211
                                                                                • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0040AC06), ref: 0040F23D
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0040AC06), ref: 0040F275
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0040AC06), ref: 0040F297
                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0040AC06), ref: 0040F2B0
                                                                                • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0040AC06), ref: 0040F2C3
                                                                                • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0040F301
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                                • String ID:
                                                                                • API String ID: 1823725401-0
                                                                                • Opcode ID: 9225caab453e0750ba57f602874833098a6b2e3ca75b026c75d378d7f03379ed
                                                                                • Instruction ID: 8489c2afc0537e012f0efd422724224ddd352aaa9ce92ec99896af7282329c94
                                                                                • Opcode Fuzzy Hash: 9225caab453e0750ba57f602874833098a6b2e3ca75b026c75d378d7f03379ed
                                                                                • Instruction Fuzzy Hash: 8E3124B60083156FD7307BB45C8883BB68CE696758715047FFD42E3680E63A9C8982AD
                                                                                Function 0043124D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 208stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 00431252
                                                                                • lstrlenA.KERNEL32(?,?,00000000), ref: 0043127D
                                                                                  • Part of subcall function 00430FCE: VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 00431099
                                                                                  • Part of subcall function 00430FCE: SysFreeString.OLEAUT32(00000000), ref: 004310C6
                                                                                • VariantClear.OLEAUT32(0000000C), ref: 004313BA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ChangeClearFreeH_prologStringTypelstrlen
                                                                                • String ID: `Dv
                                                                                • API String ID: 2273458292-3059127152
                                                                                • Opcode ID: dd7686f71f273e24dafb3e6d9bcf8a44711b4ed39550d057d83cde7e85ea5f7c
                                                                                • Instruction ID: 14c80198d8d49162959c61489a9d4d3a4220b86d1cd5d1a8bcfec7c3264591ff
                                                                                • Opcode Fuzzy Hash: dd7686f71f273e24dafb3e6d9bcf8a44711b4ed39550d057d83cde7e85ea5f7c
                                                                                • Instruction Fuzzy Hash: 3D71B23190020AEBCF10DFA5D885ABFBBB0EF18350F14916AFC05AB261D738D951CB99
                                                                                Function 004171A1 Relevance: 10.6, APIs: 7, Instructions: 140COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetPropA.USER32(?,00000000), ref: 004171F3
                                                                                • CallWindowProcA.USER32(00000000), ref: 00417215
                                                                                  • Part of subcall function 00414080: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 004140A6
                                                                                  • Part of subcall function 00414080: RemovePropA.USER32(?,00000000), ref: 004140BE
                                                                                  • Part of subcall function 00414080: RemovePropA.USER32(?,00000000), ref: 004140CA
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: Prop$CallProcRemoveWindow
                                                                                • String ID:
                                                                                • API String ID: 2276450057-0
                                                                                • Opcode ID: 5c7532930b6c6baca0210cbc776fe2c5c250877011dece26d13b91357dcf4c2d
                                                                                • Instruction ID: 6dbf34ee989e3b4edb9d9b99e18ac6bc6af046f77eb3cf4c6ee65447ee0c9173
                                                                                • Opcode Fuzzy Hash: 5c7532930b6c6baca0210cbc776fe2c5c250877011dece26d13b91357dcf4c2d
                                                                                • Instruction Fuzzy Hash: 4931F4B7B042106BD21097A9AC85EDFB7ACDBD6361F040426FE05C7201D739AD4A86BA
                                                                                Function 00414160 Relevance: 10.6, APIs: 7, Instructions: 109COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetBkColor.GDI32(?), ref: 0041417D
                                                                                • ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 004141CA
                                                                                • ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 004141F9
                                                                                • SetBkColor.GDI32(?,?), ref: 00414217
                                                                                • ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00414242
                                                                                • ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0041427C
                                                                                • SetBkColor.GDI32(?,00000000), ref: 00414284
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: Text$Color
                                                                                • String ID:
                                                                                • API String ID: 3751486306-0
                                                                                • Opcode ID: 143eea28ac6abe26819acf3eac33c26e60b1747a48124b06424391830207ed27
                                                                                • Instruction ID: 8fe4f6ac348b59a6160b8fb8d5478df766050dc7ef2c54252ef710796752a18b
                                                                                • Opcode Fuzzy Hash: 143eea28ac6abe26819acf3eac33c26e60b1747a48124b06424391830207ed27
                                                                                • Instruction Fuzzy Hash: 79417C70244301AFE320DF14DC86F6AB7E4FB84B40F144859FA549A2D1D7B5F949CB6A
                                                                                Function 00409055 Relevance: 10.6, APIs: 7, Instructions: 87windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindow.USER32(?,00000002), ref: 00409070
                                                                                • GetParent.USER32(?), ref: 00409083
                                                                                  • Part of subcall function 00408FFC: GetWindowLongA.USER32(?,000000F0), ref: 00409014
                                                                                  • Part of subcall function 00408FFC: GetParent.USER32(?), ref: 0040902D
                                                                                  • Part of subcall function 00408FFC: GetWindowLongA.USER32(?,000000EC), ref: 00409040
                                                                                • GetWindow.USER32(?,00000002), ref: 004090A6
                                                                                • GetWindow.USER32(?,00000002), ref: 004090B8
                                                                                • GetWindowLongA.USER32(?,000000EC), ref: 004090C8
                                                                                • IsWindowVisible.USER32(?), ref: 004090E1
                                                                                • GetTopWindow.USER32(?), ref: 00409107
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Long$Parent$Visible
                                                                                • String ID:
                                                                                • API String ID: 3473418232-0
                                                                                • Opcode ID: 1c759e58b1649239635668cbe97ca2de7164fc0e72aa4ce957cc693d4f986d59
                                                                                • Instruction ID: 4f9ebac0ce8c07dc3deee157a9b6651a5f7f8985a7d496d2f1557e4cf606d09b
                                                                                • Opcode Fuzzy Hash: 1c759e58b1649239635668cbe97ca2de7164fc0e72aa4ce957cc693d4f986d59
                                                                                • Instruction Fuzzy Hash: 3621A4317007256BE7316A759C09FAB769C9F84350F05493AF951FB2D2C739EC1187A8
                                                                                Function 0040426C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 58COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: H_prolog
                                                                                • String ID: (wC$DD$HvC$dvC$hwC
                                                                                • API String ID: 3519838083-3656753481
                                                                                • Opcode ID: 9d3aa0e8c8ae841d18ad11d05eb5d16639cc8d1a83d3c3841a973cc0d8d83826
                                                                                • Instruction ID: 6261ef6eeca3e907693047169c9795431840b03ea004444a23d2802aacdd1ff6
                                                                                • Opcode Fuzzy Hash: 9d3aa0e8c8ae841d18ad11d05eb5d16639cc8d1a83d3c3841a973cc0d8d83826
                                                                                • Instruction Fuzzy Hash: 54218EF0915B009FD3609F6A8546786FBE8BFA5314F009A1FD1EA97660C7B46108CB59
                                                                                Function 00429092 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 25registryclipboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: Version$ClipboardFormatRegister
                                                                                • String ID: MSWHEEL_ROLLMSG
                                                                                • API String ID: 2888461884-2485103130
                                                                                • Opcode ID: 809ad23b70c0cc5ae4bd98d3052204a777f746112d4972b9bfc993748f9b30fe
                                                                                • Instruction ID: fe64e054aeb5c5e4204fdd222b61cabddda66750ee09fa6b7045f49638103523
                                                                                • Opcode Fuzzy Hash: 809ad23b70c0cc5ae4bd98d3052204a777f746112d4972b9bfc993748f9b30fe
                                                                                • Instruction Fuzzy Hash: 1BE08037A0023A56D7112778BC0177635988BAC3A1FE9003BD901D3254566C5C838A7E
                                                                                Function 0042E19D Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 0042E1A2
                                                                                • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0042E1DD
                                                                                  • Part of subcall function 00422761: __EH_prolog.LIBCMT ref: 00422766
                                                                                  • Part of subcall function 00422761: GetDC.USER32(?), ref: 0042278F
                                                                                • SelectObject.GDI32(?,00000000), ref: 0042E1FC
                                                                                • GetTextExtentPoint32A.GDI32(?,00000000,?,?), ref: 0042E244
                                                                                • GetSystemMetrics.USER32(00000000), ref: 0042E266
                                                                                • SelectObject.GDI32(?,?), ref: 0042E2A3
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: H_prologObjectSelect$ExtentMessageMetricsPoint32SendSystemText
                                                                                • String ID:
                                                                                • API String ID: 3673216194-0
                                                                                • Opcode ID: 54b133e9f0cea80787e9542b18e9f09b88534118be8ffa0d8cfd849e0c027434
                                                                                • Instruction ID: 8f70e5941d773e94c532d6871d504da31a1a18fea4a27db25ffa0cc1ee23be6c
                                                                                • Opcode Fuzzy Hash: 54b133e9f0cea80787e9542b18e9f09b88534118be8ffa0d8cfd849e0c027434
                                                                                • Instruction Fuzzy Hash: 05417E71A00219EFDB14DF96E8859EEFBB9FF44314F50842AF902A3290D7799A41CF64
                                                                                Function 0042105E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 00421063
                                                                                • GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 00421096
                                                                                • GetTempFileNameA.KERNEL32(00000105,MFC,00000000,00000000,00000105), ref: 004210BC
                                                                                  • Part of subcall function 0041ED11: lstrlenA.KERNEL32(?,00000100,0041FB45,000000FF,?,00000000,000000FF,00000100,!@,!@,?,00000100,?,?), ref: 0041ED24
                                                                                  • Part of subcall function 0041E038: DeleteFileA.KERNEL32(?), ref: 0041E03C
                                                                                  • Part of subcall function 0041E038: GetLastError.KERNEL32(00000000), ref: 0041E047
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: FileName$DeleteErrorFullH_prologLastPathTemplstrlen
                                                                                • String ID: DD$MFC
                                                                                • API String ID: 501224598-4235816528
                                                                                • Opcode ID: 6f0bd91c69ac536005dc40a0cd9df38c5ab5fbe11ddec5e22ddeb6592ffb08d9
                                                                                • Instruction ID: b7b423d4066e0e42f38e23701d8de6534b43f0a966a8ee769da90b4e7dbbfebd
                                                                                • Opcode Fuzzy Hash: 6f0bd91c69ac536005dc40a0cd9df38c5ab5fbe11ddec5e22ddeb6592ffb08d9
                                                                                • Instruction Fuzzy Hash: 5A118CB5900219EFCF00EFA5CC819EEBB78FB08314F40456AF921A7290DB789A44CB94
                                                                                Function 0041E098 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 0041E09D
                                                                                  • Part of subcall function 0041E135: wsprintfA.USER32 ref: 0041E185
                                                                                  • Part of subcall function 0041E1A4: RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 0041E1C5
                                                                                  • Part of subcall function 0041E1A4: RegOpenKeyA.ADVAPI32(?,?,00000001), ref: 0041E1D9
                                                                                  • Part of subcall function 0041E1A4: RegOpenKeyA.ADVAPI32(00000001,InProcServer32,?), ref: 0041E1F4
                                                                                  • Part of subcall function 0041E1A4: RegQueryValueExA.ADVAPI32(?,00436190,00000000,?,00000000,?,00000104), ref: 0041E21D
                                                                                  • Part of subcall function 0041E1A4: RegCloseKey.ADVAPI32(?,000000FF), ref: 0041E23B
                                                                                  • Part of subcall function 0041E1A4: RegCloseKey.ADVAPI32(00000001), ref: 0041E240
                                                                                  • Part of subcall function 0041E1A4: RegCloseKey.ADVAPI32(?), ref: 0041E245
                                                                                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,0041E06F,?,00439220,00000000), ref: 0041E0E0
                                                                                • GetProcAddress.KERNEL32(00000000,DllGetClassObject), ref: 0041E0F0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen$AddressH_prologLibraryLoadProcQueryValuewsprintf
                                                                                • String ID: DllGetClassObject$DD
                                                                                • API String ID: 821125782-2963330934
                                                                                • Opcode ID: 9148ce0098ccf80584cf19e90e512ff166df046f081a61387f4e7e8edd3d6f21
                                                                                • Instruction ID: 2e55f8a243d6812df1a3d971d12a3b42bd95ed2042a3f576b1ad41a6136cc526
                                                                                • Opcode Fuzzy Hash: 9148ce0098ccf80584cf19e90e512ff166df046f081a61387f4e7e8edd3d6f21
                                                                                • Instruction Fuzzy Hash: 82115E3591025AABCF11EF52CC05BEE7B78BF04354F10456AFC11A31A1D7789A50DB58
                                                                                Function 004282C1 Relevance: 7.8, APIs: 5, Instructions: 340COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00428B83: PeekMessageA.USER32(?,00000000,0000000F,0000000F,00000000), ref: 00428BA0
                                                                                  • Part of subcall function 00428B83: GetMessageA.USER32(0000000F,00000000,0000000F,0000000F), ref: 00428BAE
                                                                                  • Part of subcall function 00428B83: DispatchMessageA.USER32(?), ref: 00428BC1
                                                                                  • Part of subcall function 00428B83: SetRectEmpty.USER32(?), ref: 00428BEA
                                                                                  • Part of subcall function 00428B83: GetDesktopWindow.USER32 ref: 00428C02
                                                                                  • Part of subcall function 00428B83: LockWindowUpdate.USER32(?,00000000,?,00000000,0000000F,0000000F,00000000), ref: 00428C13
                                                                                  • Part of subcall function 00428B83: GetDCEx.USER32(?,00000000,00000003,?,00000000,0000000F,0000000F,00000000), ref: 00428C2A
                                                                                  • Part of subcall function 0042259B: GetModuleHandleA.KERNEL32(GDI32.DLL,?,004282EC), ref: 004225A3
                                                                                  • Part of subcall function 0042259B: GetProcAddress.KERNEL32(00000000,GetLayout), ref: 004225AF
                                                                                • GetWindowRect.USER32(?,?), ref: 0042830F
                                                                                  • Part of subcall function 004225D1: GetModuleHandleA.KERNEL32(GDI32.DLL,?,?,004282F9,00000000), ref: 004225DA
                                                                                  • Part of subcall function 004225D1: GetProcAddress.KERNEL32(00000000,SetLayout), ref: 004225E8
                                                                                • GetWindowRect.USER32(?,?), ref: 004283FB
                                                                                  • Part of subcall function 00428200: OffsetRect.USER32(?,?,?), ref: 00428237
                                                                                  • Part of subcall function 0042860D: OffsetRect.USER32(?,?,?), ref: 00428636
                                                                                  • Part of subcall function 0042860D: OffsetRect.USER32(?,?,?), ref: 00428640
                                                                                  • Part of subcall function 0042860D: OffsetRect.USER32(?,?,?), ref: 0042864A
                                                                                  • Part of subcall function 0042860D: OffsetRect.USER32(?,?,?), ref: 00428654
                                                                                  • Part of subcall function 00428F54: GetCapture.USER32 ref: 00428F65
                                                                                  • Part of subcall function 00428F54: SetCapture.USER32(?), ref: 00428F75
                                                                                  • Part of subcall function 00428F54: GetCapture.USER32 ref: 00428F81
                                                                                  • Part of subcall function 00428F54: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00428F9B
                                                                                  • Part of subcall function 00428F54: DispatchMessageA.USER32(?), ref: 00428FCD
                                                                                  • Part of subcall function 00428F54: GetCapture.USER32 ref: 0042902B
                                                                                • GetWindowRect.USER32(?,?), ref: 004284A4
                                                                                • InflateRect.USER32(?,00000002,00000002), ref: 004285A5
                                                                                • InflateRect.USER32(?,00000002,00000002), ref: 004285B8
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: Rect$MessageOffsetWindow$Capture$AddressDispatchHandleInflateModuleProc$DesktopEmptyLockPeekUpdate
                                                                                • String ID:
                                                                                • API String ID: 2041477333-0
                                                                                • Opcode ID: 1b08958506c1a81fb886fcd202961d8094547448ba149b7b51e48260409cc378
                                                                                • Instruction ID: ff2db8b98e74896a6ae93a47d1aa2b6f65255266cc83dc971f12ed873b30e41c
                                                                                • Opcode Fuzzy Hash: 1b08958506c1a81fb886fcd202961d8094547448ba149b7b51e48260409cc378
                                                                                • Instruction Fuzzy Hash: B5C13771A006189FCF05CFA8D880ADEBBB6BF89310F148169FD05AF255D7B1AA45CF94
                                                                                Function 0042A22E Relevance: 7.6, APIs: 5, Instructions: 57windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 0042A290
                                                                                • GlobalAddAtomA.KERNEL32(?), ref: 0042A29F
                                                                                • GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 0042A2B5
                                                                                • GlobalAddAtomA.KERNEL32(?), ref: 0042A2BE
                                                                                • SendMessageA.USER32(?,000003E4,?,?), ref: 0042A2E2
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: AtomGlobal$Name$MessageSend
                                                                                • String ID:
                                                                                • API String ID: 1515195355-0
                                                                                • Opcode ID: 06f88fda62349c754833640e70e5994672db0fee4cf7def31912a1f46d0e0438
                                                                                • Instruction ID: f1c5a59a78973c04b31fef2bb446a9a45188eea1594bc5ab8350ef0a17bbc38f
                                                                                • Opcode Fuzzy Hash: 06f88fda62349c754833640e70e5994672db0fee4cf7def31912a1f46d0e0438
                                                                                • Instruction Fuzzy Hash: A9119435500218EBDB20EBA4DC54AEBB3BCEB58711F404456F99597250E7B4BAC0CB69
                                                                                Function 004151A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 126COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSysColor.USER32(00000000), ref: 004151D1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: Color
                                                                                • String ID: \E$\E
                                                                                • API String ID: 2811717613-2746232386
                                                                                • Opcode ID: cd5bda525fdd528b79a0b3fa8caa4118716c681d6cee9bcd3369082566431816
                                                                                • Instruction ID: ce4d5faaa04a2d8d2e670a4a569500aa4bfa818796218ab3acba02c714ea17da
                                                                                • Opcode Fuzzy Hash: cd5bda525fdd528b79a0b3fa8caa4118716c681d6cee9bcd3369082566431816
                                                                                • Instruction Fuzzy Hash: C3418C766047009BD714DB69E8806EBB7E4FBC4314F84492EE99887250D339E989CB56
                                                                                Function 0041F153 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GlobalLock.KERNEL32 ref: 0041F16F
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 0041F1C2
                                                                                • GlobalUnlock.KERNEL32(?), ref: 0041F259
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: Global$ByteCharLockMultiUnlockWide
                                                                                • String ID: @
                                                                                • API String ID: 231414890-2766056989
                                                                                • Opcode ID: f49e28b08f989b91c9164d6729214be4e1c2409d13b3296e688fde8bef530f78
                                                                                • Instruction ID: cd37ece3ce6020cea2285b19addd882ee18e5ad5c3cb976ee60b2ceafbf1fff2
                                                                                • Opcode Fuzzy Hash: f49e28b08f989b91c9164d6729214be4e1c2409d13b3296e688fde8bef530f78
                                                                                • Instruction Fuzzy Hash: 7841C876800205EBCB11DF94C8419EF7BB4FF44354B14817AE815AB294D3399E8BCB98
                                                                                Function 0040622E Relevance: 6.2, APIs: 4, Instructions: 181COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 00406233
                                                                                • VariantClear.OLEAUT32(?), ref: 004062E5
                                                                                • CoTaskMemFree.OLE32(?,?,?,00000000), ref: 00406382
                                                                                • CoTaskMemFree.OLE32(?,?,?,00000000), ref: 00406390
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: FreeTask$ClearH_prologVariant
                                                                                • String ID:
                                                                                • API String ID: 82050969-0
                                                                                • Opcode ID: 4d4c8e8399897d581869b13edd6f2d44f4a8ea1d4a2853cfb14f23e6d87a3ec8
                                                                                • Instruction ID: cca9ab27a807a4eb608c6d552b9304f42e96e034022c9e939e51edc86cf95e29
                                                                                • Opcode Fuzzy Hash: 4d4c8e8399897d581869b13edd6f2d44f4a8ea1d4a2853cfb14f23e6d87a3ec8
                                                                                • Instruction Fuzzy Hash: B76138716006019FCB20EFA5C9C496AB7F2BF48304715087EE547AB6A1CB38EC95CB54
                                                                                Function 0042A15F Relevance: 6.0, APIs: 4, Instructions: 43fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetActiveWindow.USER32(?), ref: 0042A16E
                                                                                • DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000), ref: 0042A189
                                                                                • DragQueryFileA.SHELL32(?,00000000,?,00000104), ref: 0042A1AB
                                                                                • DragFinish.SHELL32(?), ref: 0042A1C4
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: Drag$FileQuery$ActiveFinishWindow
                                                                                • String ID:
                                                                                • API String ID: 892977027-0
                                                                                • Opcode ID: 4cd287a8c855992615870ea2b7974c82dac590508f08ee5ae92fc0dd08fcca46
                                                                                • Instruction ID: 108b5619dc16aecb212f131e3c56ec81a65b44d26c62b69662b82c5c41f34d9e
                                                                                • Opcode Fuzzy Hash: 4cd287a8c855992615870ea2b7974c82dac590508f08ee5ae92fc0dd08fcca46
                                                                                • Instruction Fuzzy Hash: 2D016271600118BFDB01AFA4DC84CEE7B7DEF44368B114166F55597061CB74AD91CB64
                                                                                Function 0041D101 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetObjectA.GDI32(00000000,0000000C,?), ref: 0041D13F
                                                                                • SetBkColor.GDI32(00000000,00000000), ref: 0041D14B
                                                                                • GetSysColor.USER32(00000008), ref: 0041D15B
                                                                                • SetTextColor.GDI32(00000000,?), ref: 0041D165
                                                                                  • Part of subcall function 00422B07: GetWindowLongA.USER32(00000000,000000F0), ref: 00422B18
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: Color$LongObjectTextWindow
                                                                                • String ID:
                                                                                • API String ID: 2871169696-0
                                                                                • Opcode ID: 864d072a8f80cd4b2d0686846c315ff497bd32117a5c2fd3526d8f5ddf559190
                                                                                • Instruction ID: 1e797d0ee0013cf17687fc1d9566e62d98bbe7ce0821cd40f344347b27655da1
                                                                                • Opcode Fuzzy Hash: 864d072a8f80cd4b2d0686846c315ff497bd32117a5c2fd3526d8f5ddf559190
                                                                                • Instruction Fuzzy Hash: B60146B4900218BBDF219F64EC89AEB3B79AB10350F104622FA01C42F0C778DDD0DAA9
                                                                                Function 00423113 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 00423118
                                                                                • lstrcmpiA.KERNEL32(00000000,?), ref: 00423191
                                                                                  • Part of subcall function 0041E508: lstrcmpiA.KERNEL32(?,?), ref: 0041E51B
                                                                                  • Part of subcall function 0041E508: GetSystemMetrics.USER32(0000002A), ref: 0041E52B
                                                                                  • Part of subcall function 0041E508: lstrlenA.KERNEL32(?), ref: 0041E540
                                                                                  • Part of subcall function 0041E508: lstrlenA.KERNEL32(?), ref: 0041E547
                                                                                  • Part of subcall function 0041E508: GetThreadLocale.KERNEL32 ref: 0041E54D
                                                                                  • Part of subcall function 0041E508: GetStringTypeA.KERNEL32(00000000,00000001,?,000000FF,?), ref: 0041E568
                                                                                  • Part of subcall function 0041E508: GetStringTypeA.KERNEL32(00000000,00000004,?,000000FF,?), ref: 0041E577
                                                                                  • Part of subcall function 0041E508: GetStringTypeA.KERNEL32(00000000,00000001,?,000000FF,?), ref: 0041E588
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: StringType$lstrcmpilstrlen$H_prologLocaleMetricsSystemThread
                                                                                • String ID: DD
                                                                                • API String ID: 3097575430-194360491
                                                                                • Opcode ID: a75f79da513a266e21e936daa3ffa2ab2827f604bbfb2ec08a645f7f6148cba8
                                                                                • Instruction ID: f7a10a45aee5e804e5554c0c84cfad89ab48cdf9e4ce43fb18ba53d8ba0778da
                                                                                • Opcode Fuzzy Hash: a75f79da513a266e21e936daa3ffa2ab2827f604bbfb2ec08a645f7f6148cba8
                                                                                • Instruction Fuzzy Hash: 09219A35700214AFDB249F59D844BAE77B8AF04366F10812AF515DA290DB7CCA00CB18
                                                                                Function 00401065 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 0040106A
                                                                                  • Part of subcall function 0042CF96: __EH_prolog.LIBCMT ref: 0042CF9B
                                                                                  • Part of subcall function 0041AA24: ShowWindow.USER32(?,?,0042567E,00000000,?,00425307,00000800,000000FF), ref: 0041AA32
                                                                                • UpdateWindow.USER32(?), ref: 00401114
                                                                                Strings
                                                                                • Local AppWizard-Generated Applications, xrefs: 00401085
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: H_prologWindow$ShowUpdate
                                                                                • String ID: Local AppWizard-Generated Applications
                                                                                • API String ID: 3134774084-3869840320
                                                                                • Opcode ID: aee13531ef85e989eab3f896029f95cb0aec5ffb2427248da2dae0fd544f760d
                                                                                • Instruction ID: eb3b9fcdc81eb187aeda14bdc4a92a3655f99a8a23c5c227c07eb78f889adc0a
                                                                                • Opcode Fuzzy Hash: aee13531ef85e989eab3f896029f95cb0aec5ffb2427248da2dae0fd544f760d
                                                                                • Instruction Fuzzy Hash: 89110531B01210ABCB18FBA6E913B9E76B59F84714F10012FF112A32E1DFBC5A01C65D
                                                                                Function 004290E2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: EmptyH_prologRect
                                                                                • String ID: DD
                                                                                • API String ID: 3423232085-194360491
                                                                                • Opcode ID: 6a6e61a623a00964436f836d32c6ed32e132278a6d5cbc13ac7fe8a2e2b92db8
                                                                                • Instruction ID: 0f0370e7f53ffa22ed5a8dbb317500a8413348f35a1b1fbbb851ead9399ff110
                                                                                • Opcode Fuzzy Hash: 6a6e61a623a00964436f836d32c6ed32e132278a6d5cbc13ac7fe8a2e2b92db8
                                                                                • Instruction Fuzzy Hash: 9F21CBB0A01B509FD3209F6AC54179AFBF8BFA1314F008A1FD1EA826A1CBB46540CF52
                                                                                Function 0040E008 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,0040DDD0,00000000,00000000,00000000,0040A4C8,00000000,00000000,?,00000000,00000000,00000000), ref: 0040E030
                                                                                • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,0040DDD0,00000000,00000000,00000000,0040A4C8,00000000,00000000,?,00000000,00000000,00000000), ref: 0040E064
                                                                                • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 0040E07E
                                                                                • HeapFree.KERNEL32(00000000,?), ref: 0040E095
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2181115833.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2181093981.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181226581.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181249620.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181274772.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181325507.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181351646.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181368669.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181391125.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2181428548.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_look2.jbxd
                                                                                Similarity
                                                                                • API ID: AllocHeap$FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 3499195154-0
                                                                                • Opcode ID: 36025868dbcf288fbceeb8b1ad5db0684caf53a44205f3853954b93baf7b72bb
                                                                                • Instruction ID: ab96931628ef73639624908ce36ffc80b87ec16b123623a92d249a54e411fdb9
                                                                                • Opcode Fuzzy Hash: 36025868dbcf288fbceeb8b1ad5db0684caf53a44205f3853954b93baf7b72bb
                                                                                • Instruction Fuzzy Hash: 76112B70200B019FCB218F69EC95D627BB5FB957227601A39E252D69B1D371EC55CF08